Normalize alerts with correlation search templates in ITSI
IT Service Intelligence (ITSI) ships with several predefined correlation search templates to help you normalize alerts from common third-party systems. Leverage these searches when creating a correlation search to bring third-party alerts into ITSI and normalize them as notable events. For more information about correlation searches, see Overview of correlation searches in ITSI.
|ITSI role||You must have the write_itsi_correlation_search capability to create a correlation search. The itoa_admin and itoa_team_admin ITSI roles have this capabilities by default.|
|Ingest third-party data||You must be ingesting data from the corresponding third-party alerting system into Splunk Enterprise in order to normalize it in ITSI. Optionally, you can install the related Splunk add-on for that system. The table below lists the add-ons related to each search, if available.|
Access correlation search templates
All third-party search templates are available within the correlation search creation workflow. To leverage a template, perform the following steps:
- From the ITSI main menu, click Configuration > Correlation Searches.
- Click Create New Search > Create Correlation Search.
- Provide a name and description for the search.
- For Search Type, choose Predefined.
- Click Select a Search and choose from one of the predefined search templates described below.
- Click Select an index and choose an index to use for the search.
- Configure the rest of the correlation search to normalize the third-party alert fields. For instructions, see Ingest third-party alerts into ITSI.
Available correlation search templates
Choose from the following correlation search templates to bring third-party alerts into ITSI:
|BMC TrueSight Events||
||BMC Truesight (patrol, msend) stateful events. Deduplicated by |
||MuleSoft stateful related events, filtering out severity=INFO, deduplicated by |
||Nagios stateful performance events. Filtering by sourcetype=nagiosserviceperf, deduplicated by |
Add-on: Splunk Add-on for Nagios Core
||Netcool stateful performance events. Deduplicated by |
||New Relic stateful events. Filtering by sourcetype=newrelic*, deduplicated by |
Add-on: Splunk Add-on for New Relic
||ScienceLogic em7 stateful events. Deduplicated by |
||SolarWinds stateful events, not performance metrics. Deduplicated by |
Add-on: SolarWinds Add-on for Splunk
|Unix or Linux Events||
||Unix and Linux-based stateful events using the field |
Add-on: Splunk Add-on for Unix and Linux
|WinEvent:System or WinEvent:Application||
||Windows-based stateful events from winevents:system and winevents:application. Filtering out informational events and deduplicated on |
||AppDynamics stateful events based on the ingest events from AppDynamics, using spath to expand the key-value pairs into single fields. Deduplicated by |
Add-on: Splunk Add-on for AppDynamics
|Health Rule Violations||
||AppDynamics health rule stateful violations based on the ingest of health rule events from AppDynamics, using spath to expand the key-value pairs into single fields. Deduplicated on |
Add-on: Splunk Add-on for AppDynamics
Ingest third-party alerts into ITSI
Ingest SNMP traps into ITSI
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.6.0 Cloud only, 4.6.1 Cloud only, 4.6.2 Cloud only, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.8.0 Cloud only, 4.8.1 Cloud only, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only, 4.10.3 Cloud only, 4.10.4 Cloud only, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.16.0 Cloud only
Feedback submitted, thanks!