Skip to main content


Splunk Lantern

Configuring the ITSI Notable Event Aggregation Policy


​You want to configure and enable the Notable Event Aggregation Policy (NEAP) to process the notable events so they can be grouped into Splunk ITSI episodes. 

This article is part of the Splunk Use Case Explorer for Observability, which is designed to help you identify and implement prescriptive use cases that drive incremental business value. It explains the solution using a fictitious example company, called CSCorp, that hosts a cloud native application called Online Boutique. In the AIOps lifecycle described in the Use Case Explorer, this article is part of Event analytics.


Use the Notable Event Aggregation Policy (NEAP) within the Content Pack for ITSI Monitoring and Alerting to process notable events from the ITSI_Notable_Event index, group them into episodes, and process them using action rules. Notable events that match the filtering rules in the NEAP will then become part of a new or existing episode in Splunk ITSI . 

The episodes are stored in a Splunk index called ITSI_grouped_Alerts. Using this index, you can group events into a single group, although the alerts may be initiated from Splunk Real User Monitoring, Splunk Synthetic Monitoring, or Splunk APM. This helps to reduce alert noise by having one actionable episode (group) in the context of an application rather than many.

Before you can create these searches, ensure you have completed the following steps:

NEAPs run in the Splunk ITSI rules engine that determines which notable events belong to an episode. The engine also processes action rules that control the behavior of the episode, such as when to create an incident in Splunk On-Call or when to auto-close the episode if all notable events in the episode have been cleared.

Watch this video to see how to create and deploy the "Episodes by Application/SRC o11y" NEAP to group notable events into ITSI episodes.

You can download this ITSI Backup file that includes three correlation searches and one Notable Event Aggregation Policy (NEAP). Use the ITSI Backup/Restore utility to restore these artifacts into your instance of Splunk ITSI.

Next steps

Still having trouble? Splunk has many resources available to help get you back on track.