Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can we merge notable events from Splunk IT Service Intelligence and Splunk Enterprise Security?

paulstout
Path Finder
‎02-08-2017 01:29 PM

Is it possible to merge the notable events from Splunk IT Service Intelligence (ITSI) and Splunk Enterprise Security (ES)? Ideally, I'd like to create a single location where our analysts can review incidents. ITSI is not in production at this time, but it would be possible to install that on an ES search head if that would help. Any insight would be appreciate, thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

smoir_splunk
Splunk Employee
Splunk Employee
‎02-08-2017 02:09 PM

This is not possible at this time.

This is largely due to the added search performance that you would incur by having both apps hitting the same indexers. In addition, the notable events are stored in separate indexes for both apps and cannot be viewed in a unified view. For performance reasons and CIM- and other supporting add-on incompatibilities that can occur, it isn't recommended to install ITSI and ES on the same search head.

Do you have one ops team that would be reviewing and responding to both IT outages and security incidents? I'd be interested to hear more about the use case for a unified view at your organization.

View solution in original post

Reply
Solved! Jump to solution
Solution

smoir_splunk
Splunk Employee
Splunk Employee
‎02-08-2017 02:09 PM

This is not possible at this time.

This is largely due to the added search performance that you would incur by having both apps hitting the same indexers. In addition, the notable events are stored in separate indexes for both apps and cannot be viewed in a unified view. For performance reasons and CIM- and other supporting add-on incompatibilities that can occur, it isn't recommended to install ITSI and ES on the same search head.

Do you have one ops team that would be reviewing and responding to both IT outages and security incidents? I'd be interested to hear more about the use case for a unified view at your organization.

Reply
Solved! Jump to solution

paulstout
Path Finder
‎02-08-2017 02:14 PM

Thank you! Yes, our platform services team is responsible for care and feeding of Splunk as well as some of the ES notable events. My question was from a desire to create a single pane of glass -- ideally filtered views for different teams -- for a better user experience, easier to manage, etc etc.

I can appreciate the difficulty in integrating these -- maybe moving the notable events to the kvstore would make this easier in future releases?

Thanks again, this answered my question.

0 Karma
Reply
Solved! Jump to solution

smoir_splunk
Splunk Employee
Splunk Employee
‎02-08-2017 02:49 PM

Thanks for the added context, Paul!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...