Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to change severity of an ITSI notable event when clearing event received?

FeatureCreeep
Path Finder
‎06-21-2024 03:13 PM

I'm trying to understand how to update the severity of a notable event when a new event arrives with a normal severity.  I'm feeding external alerts into ITSI and a correlation search turns it into a notable event.  I'm using a specific ID for the "Notable Event Identifier Fields".  These alerts correctly turn into notable events and placed into an episode.  When the same alert comes into ITSI, but with a "Normal"\2 severity, I expect it to change the severity of the prior notable event in the episode.  Instead, it will treat it like a new notable event and put it into the same episode.  I thought ITSI uses the Notable Event Identifier Fields to determine if two events are the same or not.  I checked that both the original event and the "clearing" event have the exact same event_identifier_hash, so why does ITSI treat it like an additional alert\event in the episode?  Instead of having one normal\clear event in the episode, I now have one critical and one normal.

How are you supposed to update the status of an alert\notable event in an episode when a clearing event is received?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FeatureCreeep
Path Finder
‎06-24-2024 01:07 PM

I believe this was a misunderstanding on my part on how the episode views work.  The "Events Timeline" screen looks like I would expect, with one alert and the timeline shows it was red, then moved to green.  The "All Events" view appears to be a running list of all events that drive state changes.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

FeatureCreeep
Path Finder
‎06-24-2024 01:07 PM

I believe this was a misunderstanding on my part on how the episode views work.  The "Events Timeline" screen looks like I would expect, with one alert and the timeline shows it was red, then moved to green.  The "All Events" view appears to be a running list of all events that drive state changes.

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top