Splunk® Content Packs for ITSI and IT Essentials Work

Splunk Content Packs for ITSI and IT Essentials Work

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

About the Content Pack for Alert Routing

The Content Pack for Alert Routing is intended for use in IT Essentials Work. By default, alerts triggered from the vital metrics alert configuration in IT Essentials Work are stored in a Splunk index. IT Essentials Work users can view alerts on the Alerts and Episodes page. This content pack extends the default alert functionality by allowing you to take an external action when an alert is triggered, such as sending an email. To determine what action to take, and to whom the alert should be sent, the content pack allows you to configure one or more external actions on the entity Info Fields in the entity configuration. Any time an alert is created for an entity, the content pack triggers the configured action(s) for that entity. These external actions are available:

  • Send an email
  • Create an incident in Splunk On-Call
  • Create an incident in ServiceNow
  • Execute a custom script or action

Installation

The Splunk App for Content Packs v1.3.0 contains the Content Pack for Alert Routing. For installation instructions, see Install and configure the Content Pack for Alert Routing.

Deployment requirements

Use the following table to determine version compatibility:

Content pack version ITE Work version Splunk App for Content Packs version
1.0.0 4.9.0 or higher 1.3.0

FAQ

Can I take more than one action when an alert triggers?

Yes, if you specify multiple alert actions in the alert_routing field, each of the alert actions will be executed when the alert is triggered. Review the Configure_alert_routing_rules_on_the_entity step for a multi-value example.

Can I configure an alert to execute a custom script or take another action not supported by default in the content pack?

Yes. The content pack comes with the IT Essentials Work - Custom Alert Action Generator search, which is intended to allow you to execute any desired custom action not supported by default.

Can I put an entity into maintenance mode and suppress alert actions?

You can suppress alerts using any of these options:

  • Disable one or more of the IT Essentials Work - Alert Action Generator searches in this content pack to suppress alert actions for all triggered alerts.
  • Disable the alerting configuration on the vital metric in the entity type configuration screen to suppress alerts for that vital metric.
  • Remove or modify the alert_routing configuration on the entity to suppress or disable alerting for that entity.
  • More sophisticated maintenance management is available as a premium feature of ITSI. For more info, go to the Overview of Event Analytics in ITSI.

Can I throttle the number of alert actions taken per entity or per alert?

You can achieve alert throttling using one of these options:

  • Modify the throttling configuration on the vital metric alert in the entity type configuration screen to throttle down the number of times an alert is triggered for a vital metric.
  • Modify the throttling configuration on any of the IT Essentials Work - Alert Action Generator searches in this content pack to throttle down the number of times the alert action is taken.

Can I route alerts to different people/teams based on the type of alert? Yes. See the Configure alternate alert routing for a specific vital metric alert section for steps to configure more complex conditions.

Can I alert someone differently based on the time of day, or day of the week? Yes. See the Configure alternate alert routing based on other conditions section for steps on how to configure additional conditions.

Can I alert someone differently based on the severity of the alert? Yes. See the Configure alternate alert routing based on other conditions section for steps on how to configure additional conditions.

How does this work with alerts from Splunk App for Infrastructure (SAI)? At this time, this content pack is designed to act only on alerts coming from the alerting configuration of an IT Essentials Work vital metric. Any alerts and alert action configurations from SAI will continue to operate as they are configured there. If the same alert is configured in both SAI and IT Essentials Work, you might receive duplicate alert actions since no attempt is made to consolidate or suppress this duplicate configuration.

How does this work with alerts from Splunk Enterprise? At this time, this content pack is designed to act only on alerts coming from the alerting configuration of an IT Essentials Work vital metric. Any alerts and alert action configurations from Splunk Enterprise will continue to operate as they are configured there. If the same alert is configured in both Core Splunk and IT Essentials Work, you might receive duplicate alert actions since no attempt is made to consolidate or suppress this duplicate configuration.

Last modified on 08 October, 2021
PREVIOUS
Migrate from legacy apps to content packs
  NEXT
Release Notes for the Content Pack for Alert Routing

This documentation applies to the following versions of Splunk® Content Packs for ITSI and IT Essentials Work: current


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters