Group alerts from the Splunk App for Infrastructure in ITSI
ITSI includes a pre-built notable event aggregation policy called
Normalized Policy (Splunk App for Infrastructure) that groups the notable events created for Splunk App for Infrastructure (SAI) alerts into episodes. If the Normalized Correlation Search is enabled, this policy also groups notable events for other third-party alerts that use ITSI normalized fields. You can modify the aggregation policy to meet your specific needs.
The aggregation policy groups notable events created from the following correlation searches:
- Splunk App for Infrastructure Alerts
- Normalized Correlation Search
Enable the Normalized Policy (Splunk App for Infrastructure)
If you enable alert integration in the
Integrate with Splunk App for Infrastructure dialog, the Normalized Policy (Splunk App for Infrastructure) aggregation policy is automatically enabled, along with the Splunk App for Infrastructure Alerts correlation search. If you enabled the correlation search directly, you need to manually enable the aggregation policy to use it.
To enable the SAI aggregation policy, perform the following steps:
- From the ITSI main menu, click Configuration > Notable Event Aggregation Policies.
- Locate the policy called Normalized Policy (Splunk App for Infrastructure).
- Change the status to Enabled.
Normalized Policy (Splunk App for Infrastructure) configuration
The Normalized Policy (Splunk App for Infrastructure) aggregation policy has the following configuration:
|Include the events if||Events are filtered by the following ITSI normalized fields:
|Split events by field||Events are split into multiple episodes by:
|Break episode||The episode is broken:
How the aggregation policy works
If the first event in the episode has a severity of Normal, the episode breaks and no other events are added to it. If there is only one event in the episode, the status changes to Closed.
If two or more events are added to an episode with a severity other than Normal, and then a Normal event comes in (a clearing event):
- The episode breaks.
- The severity is set to Normal.
- The status changes to Resolved.
If an episode contains events with a severity other than Normal:
- The episode breaks if no new events come in for an hour.
- The severity is set to the same as the last event.
- The status changes to Resolved because enough time has passed that a problem most likely no longer exists.
This aggregation policy lets you filter Episode Review by Status to get the following information:
|New||Alerts that are active (the most recent severity is not Normal).|
|Resolved||Alerts that are no longer active (the most recent severity is Normal or no new events have been received for an hour).|
|Closed||Alerts that can be ignored since they were only Normal.|
See Overview of Episode Review in ITSI for information about Episode Review.
Ingest Splunk App for Infrastructure alerts into ITSI as notable events
Overview of creating an ITSI service using an SAI service template
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.5.0 Cloud only, 4.5.1 Cloud only, 4.6.0 Cloud only, 4.6.1 Cloud only, 4.6.2 Cloud only, 4.7.0, 4.7.1, 4.7.2, 4.8.0 Cloud only, 4.8.1 Cloud only, 4.9.0