I have just been pushed into the deep end of the Splunk pool and I need to figure something out.
I have ITSI and within it there is a Service that encompases all of my Server Entities.
Within that Service I have KPIs for Health, CPU, network, RAM, and Disk Utilization.
I would like to be able to get notifications from this service with a list of affected Entities contained in the email for the alerts.
Can I do that? How would I be able to do that?
@SeanPLittle : It is easy,you need to create an aggregation policy under configure->notable_event_aggregation_policies
There you can group events and in action you can send mail or tickets or run a script etc...
Yes but if I set up an aggregate policy I just get a notification that the CPU/RAM/Disk has triggered the alarm. I do not get which of my 1700 servers has triggered this alarm.
Anyway I can do that within the notification language maybe?