Alerting

How to get ITSI Alerts based on KPIs from All Server Search?

SeanPLittle
Engager

I have just been pushed into the deep end of the Splunk pool and I need to figure something out.

I have ITSI and within it there is a Service that encompases all of my Server Entities.

Within that Service I have KPIs for Health, CPU, network, RAM, and Disk Utilization.

I would like to be able to get notifications from this service with a list of affected Entities contained in the email for the alerts.

Can I do that? How would I be able to do that?

Thanks!

ansif
Motivator

@SeanPLittle : It is easy,you need to create an aggregation policy under configure->notable_event_aggregation_policies

There you can group events and in action you can send mail or tickets or run a script etc...

https://docs.splunk.com/Documentation/ITSI/3.0.1/User/CreateAggregationPolicies

0 Karma

SeanPLittle
Engager

Yes but if I set up an aggregate policy I just get a notification that the CPU/RAM/Disk has triggered the alarm. I do not get which of my 1700 servers has triggered this alarm.

Anyway I can do that within the notification language maybe?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...