Skip to main content
Splunk Lantern is a nominee for Knowledge Innovation and Knowledge Management in the CXOne Customer Recognition Awards. Click here to vote for us!
Lantern Home

 

Splunk Lantern

Pushing alerts to the Splunk platform and ITSI

  1. Last updated
  2. Save as PDF

Splunk ITSI (ITSI) has a robust event analytics engine that can perform a variety of functions. To remediate events quickly, you should push alerts to the Splunk platform, rather than relying on a scheduled input to pull events.

This article is part of the Definitive Guide to Best Practices for IT Service Intelligence. ITSI administrators will benefit from adopting this practice as they work on Event Analytics

How to use Splunk software for this use case 

All episodes follow a basic pattern:

  1. Failure: Something being monitored fails.
  2. Detection: The monitoring system detects the failure.
  3. Alert Creation: An alert is created.
  4. Episode Creation: The situation is resolved in some manner.
  5. Clearance Detection: The monitoring system detects that the condition has cleared.
  6. Clearing Alert: A clearing alert is created.

Screenshot 2026-03-16 at 17.59.54.png

So what is the difference in this pattern between pushing these events to the Splunk platform versus waiting for the Splunk platform to pull them? The following two timelines show a comparison.

The Splunk platform waits for alerts to be pulled

Pulled alerts rely on “Scheduled Inputs,” which fetch data at set intervals. This scenario introduces lag in several stages. There can be a significant amount of time between when the alert is created in ITSI and when the scheduled input runs. The same lag occurs when the situation is resolved. So while a service might have only been down for a minute, ITSI might think it was down for a half hour. During that lag, you might be paging people to work on a situation that has already been resolved.

The pattern of events in this scenario is:

  1. Failure: Something being monitored fails.
  2. Detection: The monitoring system detects the failure.
  3. Alert Creation: An alert is created within the monitoring system.
  4. Scheduled Input (Fetch): The scheduled input runs and brings the alert data into Splunk.
  5. Episode Creation: An ITSI episode is created.
  6. Resolution: The situation is resolved in some manner.
  7. Clearance Detection: The monitoring system detects the condition has cleared.
  8. Clearing Alert: A clearing alert is created within the monitoring system.
  9. Scheduled Input (Fetch): The scheduled input runs and brings in the clearing alert data.
  10. Episode Closure: The ITSI episode is closed.

Screenshot 2026-03-16 at 18.00.20.png

An alert is pushed to the Splunk platform

In this scenario, events are pushed to the Splunk platform. Doing this creates and clears the episode almost immediately. There are fewer steps and they are completed in less time.

The pattern of events in this scenario is:

  1. Failure: Something being monitored fails.
  2. Detection: The monitoring system detects the failure.
  3. Alert Creation/Push: An alert is created and pushed immediately to the Splunk platform.
  4. Episode Creation: An ITSI episode is created.
  5. Resolution: The situation is resolved in some manner.
  6. Clearance Detection: The monitoring system detects the condition has cleared.
  7. Clearing Alert: A clearing alert is created and sent to the Splunk platform, which closes the episode.

Screenshot 2026-03-16 at 18.00.06.png

Next steps

This content comes from Splunk .Conf presentation, The Definitive List of Best Practices for Splunk® IT Service Intelligence: How to Configure, Administer, and Use ITSI for Optimal Results, part one presented in .Conf23 and part two presented in .Conf24 session. In the session replays, you can watch Jason Riley and Jeff Wiedemann share the many awesome best practices they've amassed for designing key performance indicators (KPIs), services, episodes, and machine learning to maximize end-user experience and insights. Whether you're new or experienced, you'll come away with tactical guidance you can use right away.

You might also be interested in the following Splunk resources:

  • Splunk Help: Event analytics manual 
  • Splunk Help: Send data to Splunk Cloud Platform with ITSI data collection agents
  • Splunk Help: Best practices for implementing Event Analytics in ITSI

    Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their Success Plan. Engage the ODS team at ondemand@cisco.com if you would like assistance.