Skip to main content


Splunk Lantern

Configuring action rules in the ITSI Notable Event Aggregation Policy for Splunk On-Call Integration


You want to create a Splunk On-Call incident using an Splunk Observability Cloud Notable Event Aggregation Policy (NEAP) action rule. This rule should also have appropriate context and data to allow Splunk On-Call annotations or URI drill-downs for accelerated mean-time-to-detect (MTTD) and mean-time-to-restore (MTTR) in Splunk Observability Cloud.

This article is part of the Splunk Use Case Explorer for Observability, which is designed to help you identify and implement prescriptive use cases that drive incremental business value. It explains the solution using a fictitious example company, called CSCorp, that hosts a cloud native application called Online Boutique. In the AIOps lifecycle described in the Use Case Explorer, this article is part of Notification.


Use the Content Pack for ITSI Monitoring and Alerting Notable Event Aggregation Policy (NEAP).

  1. Ensure that you have Splunk ITSI episodes being created in ITSI from Splunk Observability Cloud alerts.
  2. Configure the Splunk ITSI NEAP action rules. The rule should create the On-Call incident and also auto-close the On-Call incident when Splunk ITSI correlation search has determined the episode is healed and should be auto-closed.


  3. Configure the Splunk ITSI NEAP policy to leverage the On-Call ITSI integration. The policy should use a rule that creates the On-Call incident and also auto-closes the On-Call incident when ITSI correlation search has determined the episode is healed and should be auto-closed.
  4. Validate the Splunk ITSI integration for the full lifecycle of a Splunk Observability Cloud alert. The lifecycle should span from the initial Splunk APM alert for the Online Boutique application degradation, to the auto-closing of the ITSI episode and auto-resolution of the Splunk On-Call incident when the alert is remediated.

Watch this video to see the full process to configure the Splunk ITSI NEAP to auto-create and auto-resolve the Splunk On-Call incident.

You can download this ITSI Backup file that includes three correlation searches and one Notable Event Aggregation Policy (NEAP). Use the ITSI Backup/Restore utility to restore these artifacts into your instance of Splunk ITSI.

Next steps

Still having trouble? Splunk has many resources available to help get you back on track.