All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

ITSI episodes and alerting

Darkvader
New Member
3 weeks ago

My question is 2 pronged:

 

1. When we receive an alert sometimes it will appear in the "Critical and High Episodes" section of the incorrect service. Why is that and how do i fix it?

2. I as an admin am able to see these alerts, but another admin is unable too. When I check his roles and capabilities, they are the same as mine so what could be the issue?

Labels (3)
0 Karma
Reply

akkoem
Explorer
a week ago

1) I think you should see itsi indexes :  itsi_tracked_alerts and itsi_grouped_alerts , locate this alert and go from there. there should be a service ID in the event that you can trace to update on the way. 

2) only think I can think of is private view , perhaps you should share more context.

0 Karma
Reply

Darkvader
New Member
a week ago

Thanks! Another question. What determines how long an episode will appear under the "critical and high episodes" section? I cant seem to find out why in the docs. 

Darkvader_0-1762176709725.png

 

0 Karma
Reply

akkoem
Explorer
a week ago

Regardless of it's severity , it would stay in the list as long as retention time of the it's kvstore: itsi_grouped_alerts (setting is TTL)
This could be useful when episode is closed, and one wants check what was the resolution notes from prev. incident etc..
That's being said, if you must delete episodes after certain time:

find the collections.conf where itsi_grouped_alerts is configured ( I think it was in main ITSI app but could be in one of the side apps)

[itsi_grouped_alerts]
ttl = 2592000  # 30 days in seconds


if you don't wanna deal with conf files but with pure SPL, you can schedule a daily scheduled search that will do the same work manually for you:

| inputlookup itsi_grouped_alerts
| where _time < relative_time(now(), "-30d")
| outputlookup itsi_grouped_alerts append=false

 please note this is un-reversible. 

Finally, setting a retention time on indexes.conf for notable index would do the final work for episodes. 

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...