Configuring the ITSI Notable Event Aggregation Policy
You want to configure and enable the Notable Event Aggregation Policy (NEAP) to process the notable events so they can be grouped into Splunk ITSI episodes.
This article is part of the Splunk Use Case Explorer for Observability, which is designed to help you identify and implement prescriptive use cases that drive incremental business value. It explains the solution using a fictitious example company, called CSCorp, that hosts a cloud native application called Online Boutique. In the AIOps lifecycle described in the Use Case Explorer, this article is part of Event analytics.
Solution
Use the Notable Event Aggregation Policy (NEAP) within the Content Pack for ITSI Monitoring and Alerting to process notable events from the ITSI_Notable_Event index, group them into episodes, and process them using action rules. Notable events that match the filtering rules in the NEAP will then become part of a new or existing episode in Splunk ITSI .
The episodes are stored in a Splunk index called ITSI_grouped_Alerts. Using this index, you can group events into a single group, although the alerts may be initiated from Splunk Real User Monitoring, Splunk Synthetic Monitoring, or Splunk APM. This helps to reduce alert noise by having one actionable episode (group) in the context of an application rather than many.
Before you can create these searches, ensure you have completed the following steps:
- Integrated Observability Cloud alerts with Splunk ITSI
- Normalized Observability Cloud alerts into the ITSI Universal Alerting schema
- Configured the ITSI Notable Event Aggregation Policy
NEAPs run in the Splunk ITSI rules engine that determines which notable events belong to an episode. The engine also processes action rules that control the behavior of the episode, such as when to create an incident in Splunk On-Call or when to auto-close the episode if all notable events in the episode have been cleared.
Watch this video to see how to create and deploy the "Episodes by Application/SRC o11y" NEAP to group notable events into ITSI episodes.
You can download this ITSI Backup file that includes three correlation searches and one Notable Event Aggregation Policy (NEAP). Use the ITSI Backup/Restore utility to restore these artifacts into your instance of Splunk ITSI.
Next steps
Still having trouble? Splunk has many resources available to help get you back on track.
- Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.
com if you require assistance. - Splunk Answers: Ask your question to the Splunk Community, which has provided over 50,000 user solutions to date.
- Splunk Customer Support: Contact Splunk to discuss your environment and receive customer support.
- Splunk Observability Training Courses: Comprehensive Splunk training to fully unlock the power of Splunk Observability Cloud.