topic Re: ITSI - Episode Review - 1 KPI in Splunk ITSI

ITSI - Episode Review - 1 KPI

arthurva — Fri, 22 Feb 2019 00:58:43 GMT

I'm very new to Splunk and ITSI. We have created a service for VMware VMs. The Service has several KPIs like memory and CPU. A few of the VMs have CPUs in Critical status. Episode Review shows 0 episodes. Is it possible to have the specific servers show up in Episode Review?

Re: ITSI - Episode Review - 1 KPI

chrisyounger — Fri, 22 Feb 2019 01:02:15 GMT

By default, these won't create episodes.

There is a great blog series that will show you how to configure the alerting for ITSI:

https://www.splunk.com/blog/2019/01/18/a-blueprint-for-splunk-itsi-alerting-step-1.html

https://www.splunk.com/blog/2019/02/01/a-blueprint-for-splunk-itsi-alerting-step-2.html

https://www.splunk.com/blog/2019/02/08/a-blueprint-for-splunk-itsi-alerting-step-3.html

https://www.splunk.com/blog/2019/02/14/a-blueprint-for-splunk-itsi-alerting-step-4.html

Hope this helps,
Chris.

Re: ITSI - Episode Review - 1 KPI

arthurva — Fri, 22 Feb 2019 01:05:28 GMT

I'll start reading them. Thank you.

Re: ITSI - Episode Review - 1 KPI

arthurva — Fri, 22 Feb 2019 16:50:57 GMT

I'm stuck doing something on the first link.

...but we’re going to wind up modifying it slightly so we’ll duplicate the existing rule and make our modifications to the copy...

How do you duplicate it? I don't see that option.

Re: ITSI - Episode Review - 1 KPI

szhou_splunk — Sun, 03 Mar 2019 03:29:04 GMT

There is an "Edit" dropdown in "Actions" column and you can click "Clone" from the dropdown to duplicate it.
Generally, in order to show these events in Episode Review, you need to create some of correlation searches that generate the events, and use Notable Event Aggregation Policy (Under Configuration dropdown manual) to include these events for that Policy, then you will see these events(got grouped into Episode by similarity) in Episode Review.