Sending Splunk Observability events as Alert Actions from Splunk IT Service Intelligence
It can be helpful for Splunk Observability Cloud users to be identified of issues in Splunk ITSI, even if they don't have access to use Splunk ITSI. An Splunk Observability Cloud Alert Action can be used to send those users a notification. For example, you can send your developers a notification telling them that Splunk ITSI’s KPIs have identified an issue with an SAP entity that your developers’ software depends on to track inventory.
This is only one example use case. You can apply this use case to any data within Splunk and data correlated by Splunk ITSI. Other common use cases can use this same method to pass context from Splunk ITSI business services and KPIs into Splunk Observability Cloud.
Solution
- Download the Splunk Observability Cloud Alert Action for Splunk from Splunkbase.
- From the Apps drop-down menu, select Splunk Observability Cloud Alert Action for Splunk, then click on Configuration.
- Enter your Splunk Observability Cloud API token.
- Create and schedule your alert as normal. Here is an example of the alert setup:
To find KPI search results and alert events which form the basis for your Alert Action, you can check these indexes in Splunk ITSI:
itsi_summary
anomaly_detection
itsi_grouped_alerts
-
At the bottom of your alert setup, click Add New Response Action then choose the Observability Events alert action.
- Input the fields you would like to pass as dimensions into Splunk Observability Events.
- In Splunk Observability Cloud, open the dashboard that you'd like to overlay event data on. In the Event Overlay drop-down, choose an Event Overlay to match your event name. You can use asterisks (*) to work as wildcards.
- In your chart options, enable Show events as lines and Show data markers for overlaying events on that chart.
Events will now be overlaid on your chart.
Next steps
These resources might help you understand and implement this guidance:
- Splunk Docs: Add information to a dashboard
- Splunk Docs: Create and manage organization access tokens using Splunk Observability Cloud