Using the Content Pack for ITSI Monitoring and Alerting for policy management

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Writing correlation searches and creating notable event aggregation policies (NEAPs) from scratch is time-consuming and error prone. You need a better way to get started with these Splunk ITSI features.

This article is part of the Definitive Guide to Best Practices for IT Service Intelligence. ITSI end users will benefit from adopting this practice as they work on Event Analytics and Service Insights.

Solution

The Content Pack for ITSI Monitoring and Alerting contains a variety of correlation searches and several notable event aggregation policies for different use cases.

Correlation searches

Correlation searches are recurring saved searches. If results are found for these searches, notable events are created and placed in the itsi_tracked_alerts index.

Creating correlation searches is a very time-consuming process. These must be configured in the ITSI Configuration searches interface rather than a .conf file, and there are a lot of fields to configure. In addition, you might accidentally configure them to behave in ways you do not intend.

Instead of taking administrative time to create these searches and then tune them whenever problems arise, it’s much easier to use the built-in searches from the Content Pack for ITSI Monitoring and Alerting. There are a number of out-of-the-box correlation searches in the content pack that can be enabled in ITSI.

Notable event aggregation policies

NEAPs are used to group notable events into episodes. NEAPs are also used to control what actions are taken when specified conditions are met.

Creating NEAPs isn’t as time-consuming as correlation searches but it is still administrative work to create and maintain these policies. The Content Pack for ITSI Monitoring and Alerting simplifies this work significantly.

If you are a Splunk Cloud Platform customer,there is a limit to both the number of correlation searches and of NEAPs you can have. See the platform service limits documentation for more information.

Next steps

This content comes from Splunk .Conf presentation, The Definitive List of Best Practices for Splunk® IT Service Intelligence: How to Configure, Administer, and Use ITSI for Optimal Results, part one presented in .Conf23 and part two presented in .Conf24 session. In the session replays, you can watch Jason Riley and Jeff Wiedemann share the many awesome best practices they've amassed for designing key performance indicators (KPIs), services, episodes, and machine learning to maximize end-user experience and insights. Whether you're new or experienced, you'll come away with tactical guidance you can use right away.

You might also be interested in the following Splunk resources:

Splunk Docs: Service insights manual
Splunk Docs: Content Pack for ITSI Monitoring and Alerting
Splunkbase: Splunk App for Content Packs
Product Tip: Using the Monitoring and Alerting Content Pack
Use Case: Configuring the ITSI Notable Event Aggregation Policy