Splunk ITSI lets you intelligently group alerts using machine learning and other defining methods to provide business context, reduce noise, and provide the means to prioritize, troubleshoot, and find root cause quickly. There are several out out-of-the-box grouping approaches, but these can also be completely customized for your needs.
- The simplest method combines single alerts into relevant alarms. This deduplicates flapping alerts into a single alarm. You don't need 84 tickets or emails telling you that a system is down and up and down and up. Splunk ITSI can group those 84 alerts into five alarms to reduce notifications, but still allow your team to drill into these episodes to see all of the alert details. You can also group by host or device, showing all the alarms affecting that source.
- Another method is to group by business service. You can see all the alarms associated with a business service correlated from different monitoring tools across devices, applications, containers, and anything else in your on-premises and cloud-based infrastructures.
When you have a manageable number of alarms to react to, you can switch to root cause analysis to see which alerts started an episode. You can also define relevant instructions and runbook actions within the alarm, implement predefined or custom actions such as opening an incident ticket in your ticketing system, or use machine learning to find earlier episodes which might be similar to this one, based on the associated alarms. Reviewing similar episodes shows you associated tickets to see what was done to resolve the issue, or see how Splunk ITSI defined these as similar episodes based on similarity in fields or other correlations.
Watch the following video to learn more.