Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to change severity of an ITSI notable event when clearing event received?

FeatureCreeep
Path Finder
‎06-21-2024 03:13 PM

I'm trying to understand how to update the severity of a notable event when a new event arrives with a normal severity.  I'm feeding external alerts into ITSI and a correlation search turns it into a notable event.  I'm using a specific ID for the "Notable Event Identifier Fields".  These alerts correctly turn into notable events and placed into an episode.  When the same alert comes into ITSI, but with a "Normal"\2 severity, I expect it to change the severity of the prior notable event in the episode.  Instead, it will treat it like a new notable event and put it into the same episode.  I thought ITSI uses the Notable Event Identifier Fields to determine if two events are the same or not.  I checked that both the original event and the "clearing" event have the exact same event_identifier_hash, so why does ITSI treat it like an additional alert\event in the episode?  Instead of having one normal\clear event in the episode, I now have one critical and one normal.

How are you supposed to update the status of an alert\notable event in an episode when a clearing event is received?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FeatureCreeep
Path Finder
‎06-24-2024 01:07 PM

I believe this was a misunderstanding on my part on how the episode views work.  The "Events Timeline" screen looks like I would expect, with one alert and the timeline shows it was red, then moved to green.  The "All Events" view appears to be a running list of all events that drive state changes.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

FeatureCreeep
Path Finder
‎06-24-2024 01:07 PM

I believe this was a misunderstanding on my part on how the episode views work.  The "Events Timeline" screen looks like I would expect, with one alert and the timeline shows it was red, then moved to green.  The "All Events" view appears to be a running list of all events that drive state changes.

0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...