Splunk® IT Service Intelligence

SAI Integration

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Ingest Splunk App for Infrastructure alerts into ITSI as notable events

ITSI can ingest alerts from the Splunk App for Infrastructure (SAI) as notable events in Episode Review. The integration uses a built-in correlation search called Splunk App for Infrastructure Alerts The correlation search generates a notable event for each SAI alert. Each notable event contains a drilldown link to the entity on the SAI Analysis page.

Integrate alerts from SAI using one of the following methods:

  • Enable alert integration in the Integrate with integration dialog that appears the first time ITSI detects SAI on the same Splunk Enterprise instance. This enables the built-in correlation search as well as the built-in aggregation policy to group the alerts. You can also navigate to the integration dialog from the Entities lister page in ITSI.
  • Enable the built-in correlation search directly. You also need to enable the built-in aggregation policy if you want to group the alerts in Episode Review.

After you enable alert integration, SAI alerts flow into ITSI in real-time. You cannot select a subset of alerts to import.

To stop receiving alerts from Splunk App for Infrastructure, disable the Splunk App for Infrastructure correlation search. Alternatively, you can navigate to the Integrate with Splunk App for Infrastructure dialog from the Entities lister page and disable alert integration there.

Start ingesting Splunk App for Infrastructure alerts

Integration between SAI and ITSI is enabled by default. If you did not integrate alerts in the initial integration dialog, as defined in Integrate with the Splunk App for Infrastructure, you can manually select to integrate alerts. See Manually enable or disable integration.

To bring in alerts from Splunk App for Infrastructure using the integration dialog, perform the following steps:

  1. Log into ITSI with a Splunk admin account.
  2. The SAI integration dialog opens the first time ITSI detects SAI on the same Splunk Enterprise instance. If the dialog does not open, select Configuration > Entities from the top menu bar and click Manage Integrations to launch it.
  3. Enable the second option (integrate alerts) and click Save.
    This enables the Splunk App for Infrastructure Alerts correlation search and the Normalized Policy (Splunk App for Infrastructure) aggregation policy.
  4. Click View Alerts in Episode Review or close the dialog and select Episode Review from the top menu bar.
  5. Within a couple of minutes, you will see notable events come in for any alerts generated by SAI. If Episode View is on, you will see episodes created by the Normalized Policy (Splunk App for Infrastructure) aggregation policy.

You can navigate back to the Integrate with Splunk App for Infrastructure dialog from the Entities lister page at any time to enable or disable entity and alert integration.

See also

Stop receiving alerts from Splunk App for Infrastructure

The Splunk App for Infrastructure Alerts correlation search ingests alerts from Splunk App for Infrastructure into ITSI. To stop receiving alerts from the Splunk App for Infrastructure, disable the Splunk App for Infrastructure correlation search.

  1. In ITSI, click Configuration > Correlation Searches from the top menu bar.
  2. In the Correlation Searches lister page, toggle the Disabled switch for the Splunk App for Infrastructure Alerts correlation search.

To group notable events generated by the Splunk App for Infrastructure Alerts correlation search in Episode Review, enable the Normalized Policy (Splunk App for Infrastructure) aggregation policy.

For search head cluster environments, you must disable the correlations search in Splunk App for Infrastructure from the savedsearch.conf file to disable the Splunk App for Infrastructure Alerts stanza. You cannot disable the correlation search from the data input user interface.

About the Splunk App for Infrastructure Alerts correlation search

The Splunk App for Infrastructure Alerts correlation search searches the infra_alerts index for entity alerts from SAI, adds normalized fields for ITSI to the event data, and creates a notable event for each alert. The alert severity level in SAI is mapped to the corresponding severity level in ITSI.

The following table describes the mapping between severity levels in ITSI and SAI:

Splunk App for Infrastructure severity ITSI severity
1 (normal) 2 (normal)
3 (medium) 4 (medium)
5 (critical) 6 (critical)

The notable events that are generated from this correlation search have the following naming convention:

<Entity title> <metric_name> <state_change: "degraded" or "improved">

For example: webserver01.splunk.com cpu.system degraded.

The correlation search adds the following ITSI normalized fields to the notable event:

  • itsiAlert
  • itsiDetails
  • itsiInstance
  • itsiRawStatus
  • itsiSeverity
  • itsiSubInstance

The Normalized Aggregation Policy for SAI use some of these fields to group events into episodes. For more information, see Group alerts from the Splunk App for Infrastructure in ITSI.

The correlation search also provides a drilldown link from the notable event to the entity in SAI and a drilldown search that opens the Splunk search for the entity alert. You can modify the correlation search to fit your needs. For more information, see Overview of correlation searches in ITSI.

About the Normalized correlation search

ITSI delivers a correlation search called Normalized Correlation Search. If you enable this search, ITSI generates notable events for all third-party alerts that contain the following normalized fields, including those from SAI:

  • itsiAlert
  • itsiDetails
  • itsiInstance
  • itsiRawStatus
  • itsiSeverity
  • itsiSubInstance

The Normalized aggregation policy groups events from both correlation searches into episodes. For more information, see Group alerts from the Splunk App for Infrastructure in ITSI.

Last modified on 03 August, 2020
PREVIOUS
Integrate entities from the Splunk App for Infrastructure with ITSI
  NEXT
Group alerts from the Splunk App for Infrastructure in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.5.0 Cloud only, 4.5.1 Cloud only, 4.6.0 Cloud only, 4.6.1 Cloud only, 4.6.2 Cloud only, 4.7.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters