Configuring action rules in the ITSI Notable Event Aggregation Policy for Splunk On-Call Integration

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

You want to create a Splunk On-Call incident using an Splunk Observability Cloud Notable Event Aggregation Policy (NEAP) action rule. This rule should also have appropriate context and data to allow Splunk On-Call annotations or URI drill-downs for accelerated mean-time-to-detect (MTTD) and mean-time-to-restore (MTTR) in Splunk Observability Cloud.

This article is part of the Splunk Use Case Explorer for Observability, which is designed to help you identify and implement prescriptive use cases that drive incremental business value. It explains the solution using a fictitious example company, called CSCorp, that hosts a cloud native application called Online Boutique. In the AIOps lifecycle described in the Use Case Explorer, this article is part of Notification.

Solution

Use the Content Pack for ITSI Monitoring and Alerting Notable Event Aggregation Policy (NEAP).

Ensure that you have Splunk ITSI episodes being created in ITSI from Splunk Observability Cloud alerts.
Configure the Splunk ITSI NEAP action rules. The rule should create the On-Call incident and also auto-close the On-Call incident when Splunk ITSI correlation search has determined the episode is healed and should be auto-closed.
Configure the Splunk ITSI NEAP policy to leverage the On-Call ITSI integration. The policy should use a rule that creates the On-Call incident and also auto-closes the On-Call incident when ITSI correlation search has determined the episode is healed and should be auto-closed.
Validate the Splunk ITSI integration for the full lifecycle of a Splunk Observability Cloud alert. The lifecycle should span from the initial Splunk APM alert for the Online Boutique application degradation, to the auto-closing of the ITSI episode and auto-resolution of the Splunk On-Call incident when the alert is remediated.

Watch this video to see the full process to configure the Splunk ITSI NEAP to auto-create and auto-resolve the Splunk On-Call incident.

You can download this ITSI Backup file that includes three correlation searches and one Notable Event Aggregation Policy (NEAP). Use the ITSI Backup/Restore utility to restore these artifacts into your instance of Splunk ITSI.

Next steps

Still having trouble? Splunk has many resources available to help get you back on track.

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.com if you require assistance.
Splunk Answers: Ask your question to the Splunk Community, which has provided over 50,000 user solutions to date.
Splunk Customer Support: Contact Splunk to discuss your environment and receive customer support.
Splunk Observability Training Courses: Comprehensive Splunk training to fully unlock the power of Splunk Observability Cloud.