Normalizing Observability Cloud alerts into the ITSI Universal Alerting schema
You have integrated your Splunk Observability Cloud alerts with Splunk ITSI and now need to normalize the data to ensure all alerts data looks the same, meaning that it adheres to the ITSI Universal Alerting schema. This ensures that the downstream universal correlation search can create notable events in Splunk ITSI from many sources.
This article is part of the Splunk Use Case Explorer for Observability, which is designed to help you identify and implement prescriptive use cases that drive incremental business value. It explains the solution using a fictitious example company, called CSCorp, that hosts a cloud native application called Online Boutique. In the AIOps lifecycle described in the Use Case Explorer, this article is part of Event analytics.
Solution
Use the Content Pack for ITSI Monitoring and Alerting and Splunk Enterprise to normalize data from Splunk Observability Cloud detector alerts into the Splunk ITSI alerts index.
Watch this video to see how this is done.
Next steps
Still having trouble? Splunk has many resources available to help get you back on track.
- Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.
com if you require assistance. - Splunk Answers: Ask your question to the Splunk Community, which has provided over 50,000 user solutions to date.
- Splunk Customer Support: Contact Splunk to discuss your environment and receive customer support.
- Splunk Observability Training Courses: Comprehensive Splunk training to fully unlock the power of Splunk Observability Cloud.