Triage episodes in ITSI
Use Episode Review as part of your episode triage workflow. You can monitor episodes and the actions that analysts take to resolve the issues that triggered an episode.
ITSI groups notable events into episodes according to the rules defined in the default aggregation policy or a custom policy you created. See Overview of aggregation policies in ITSI for more information.
If service level permissions are enabled for Episode Review, you only see episodes that contain at least one event associated with a service for which you have read permission or at least one event that is not associated with any services. For more information, see Overview of teams in ITSI.
When you identify an episode that requires investigation, the first step is to acknowledge the episode. Acknowledging a episode changes its status from New to In Progress and assigns the owner to the current ITSI user.
You can acknowledge an episode with a status of New. If an episode with a status of New is already assigned to an owner, acknowledging the episode changes the owner to the current ITSI user. You can acknowledge multiple episodes as long as at least one of the episodes has a status of New. Only the new episodes are updated to In Progress and assigned to the current user.
- Select an episode with a status of New.
- Clickto assign the episode to the currently logged in ITSI user.
Accelerate triage with filters and sorting
Speed up your episode triage with search filters and sorting. For example, focus on specific episodes with the search filters and time range selector. Episodes contain Severity, Status, and Owner fields to help you categorize, track, and assign them.
You can filter for episodes created by the same aggregation policy by using the Policy filter. As you type, the aggregation policy names appear for you to select. You can add more than one filter. For example, you could also add a filter for Owner, Unassigned to see only new episodes that are unassigned.
Use the Add filter option to filter episodes by one or more attributes, such as owner, severity, or specific event fields within the episode. Only episodes containing the selected values are shown. You can use the wildcard (*) character to support partial matching of attributes and values. Attributes and values are case insensitive. The suggested values are fetched based on the time range applied to Episode Review. The number of values displayed in the menu is capped, so there might be cases where a notable exists but isn't listed as a suggested value.
Click the Sorted by dropdown to select an attribute by which to sort episodes. For example, if you select Severity, the episodes are listed in order of highest to lowest severity level, and sorted secondarily by time. Click Add sub-sort to sort against additional episode attributes. The sort operates hierarchically from left to right, meaning episodes are sorted by the first attribute, then those with an identical first attribute are sorted by the second attribute, and so on. You can sort by a maximum of three attributes. Use the arrow ( ) to switch between ascending and descending order.
Use the search box to search for specific text in an episode. You can use an asterisk as a wildcard character. To search for a specific phrase, enclose the phrase in double quotes (for example: "service level alert"). The search field is case insensitive.
Save a custom view of Episode Review
To save a filtered view of Episode Review, click Save as... and give the view a meaningful name. To access the saved view in the future, click the tab in the top left to pull out the Saved Views panel.
Episodes are unassigned by default. You can assign one episode at a time, or several at once.
You must have the
itoa_analyst role to assign episodes to a user.
- Select one or more new episodes.
- Click the Unassigned dropdown.
- Select an owner to assign the episode to.
If you use SAML authentication, it can take up to 10 minutes to update the list of users that you can assign episodes to.
Update the status of an episode
New episodes have the New status. As analysts triage and move an episode through the episode review workflow, the owner can update the status of the episode to reflect the actions they take to address it.
- Select one or more episodes.
- Click the status in the toolbar (for example, New). If the selected episodes have different statuses, Original Statuses is displayed.
- Change the status. The updated status is reflected in the episode.
If your changes are not immediately visible, check the dashboard filters. For example, if the filter is set to "New" after you changed an episode to "In Progress", your updated episode will not display.
You can choose from the following episode statuses.
|Unknown||Used by ITSI when an error prevents the episode from having a valid status assignment.|
|New||Default status. The episode has not been reviewed.|
|In Progress||An owner is investigating the episode.|
|Pending||An action must occur before the episode can be closed.|
|Resolved||The owner has addressed the cause of the episode and is waiting for verification.|
|Closed||The resolution of the episode has been verified.|
When you update an episode, the change is reflected in the episode but not in the individual events in the episode. For example, if you change the status to "In Progress" for an episode, the status of the episode changes to In Progress, but the individual notable events in the episode retain their own statuses.
Overview of Episode Review in ITSI
Investigate episodes in ITSI
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.7.0, 4.7.1, 4.7.2