Restore active episodes when the Rules Engine restarts in ITSI
The Rules Engine
itsi_event_grouping search in IT Service Intelligence (ITSI) is responsible for aggregating notable events into episodes. If the Rules Engine is disabled, either during a restart of Splunk Enterprise or manually by a user, it stops grouping notable events.
When the Rules Engine restarts and the
itsi_event_grouping search is re-enabled, the Rules Engine restores active episodes over the last 90 days. Then it searches for notable events that were missed while the search was disabled and backfills them accordingly into episodes. This functionality is distinctly different than periodic backfill, which only functions when the Rules Engine is up and running. Periodic backfill looks for events missed because of data unavailability on the indexers. For more information, see Configure Rules Engine periodic backfill in ITSI.
The default lookback time for missed events and episodes is 2160 hours (90 days). If you expect episodes in your environment to remain active for more than 90 days, you can increase the lookback time by modifying the
group_restore_lookback_time field in the
- Only users with file system access, such as system administrators, can modify the Rules Engine lookback time.
- Review the steps in How to edit a configuration file in the Admin Manual.
Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location.
- Open or create a local copy of the
- Add the following setting to the file:
group_restore_lookback_time = <number of hours>.
For example, to look back two days, add the following setting:
group_restore_lookback_time = 48
Tune episode and aggregation policy sizing parameters in ITSI
Configure Rules Engine periodic backfill in ITSI
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.6.0 Cloud only, 4.6.1 Cloud only, 4.6.2 Cloud only, 4.7.0, 4.7.1, 4.7.2, 4.8.0 Cloud only, 4.8.1 Cloud only, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2