Skip to main content
Lantern Home

 

Splunk Lantern

Configuring ITSI correlation searches to create notable events

  1. Last updated
  2. Save as PDF

 

You have integrated your Splunk Observability Cloud alerts with Splunk ITSI and normalized Splunk Observability Cloud alerts into the ITSI Universal Alert Schema. Now you want to configure the universal correlation search to create notable events in Splunk ITSI. These notable events are stored in a Splunk index called ITSI_Notable_Event.

This article is part of the Splunk Use Case Explorer for Observability, which is designed to help you identify and implement prescriptive use cases that drive incremental business value. It explains the solution using a fictitious example company, called CSCorp, that hosts a cloud native application called Online Boutique. In the AIOps lifecycle described in the Use Case Explorer, this article is part of Event analytics.

Solution

Use the Content Pack for ITSI Monitoring and Alerting and Splunk Enterprise to query normalized alert data and create Splunk ITSI notable events.

Watch this video to see how to create and deploy the universal correlation search to process all of the Splunk Observability Cloud alerts that arrive into the Alerts index to create ITSI notable events. The universal correlation search is a scheduled search that runs on the ITSI search head or search head cluster.

You can download this ITSI Backup file that includes three correlation searches and one Notable Event Aggregation Policy (NEAP). Use the ITSI Backup/Restore utility to restore these artifacts into your instance of Splunk ITSI.

Next steps

Still having trouble? Splunk has many resources available to help get you back on track.