Splunk IT Service Intelligence

Custom Alert Action in ITSI

bstimely
New Member

I created a custom alert action in Splunk Enterprise. When I try to use that action in ITSI for a correlated search, I don't see it as an option. How do I utilize my customer alert action inside ITSI?

Labels (2)
0 Karma

cdemir
Explorer

Using custom alert actions in ITSI is a little different than in ES. If you wish to use a custom alert action for an event generated by a correlation search, you have to set it up as an action rule on an aggregation policy. You also have to configure the custom alert action in a conf file to be selectable as an action against an event. Parameters to invoke the action are configured as part of the policy.

There’s not a whole lot of documentation on this, but there is some to help you get started on docs.

Edit*** I would also like to add that you could technically just use your custom alert action from ES on ITSI events and episodes. Episode information is indexed in itsi_grouped_alerts and notable events are indexed in itsi_tracked_alerts. If the SHC with itsi installed is running from the same indexer cluster as your deployment of ES, you can search the itsi internal indexes from ES as well.

0 Karma

bstimely
New Member

I used this as a reference. I have it running OK in Enterprise. I just want to reuse the action from ITSI.
https://docs.splunk.com/Documentation/Splunk/8.0.2/AdvancedDev/ModAlertsIntro

0 Karma

bstimely
New Member

Yes, it is.

0 Karma

darrenfuller
Contributor

Is the new alert action a modular alert?

0 Karma
Get Updates on the Splunk Community!

Tips & Tricks When Using Ingest Actions

Tune in to learn about:Large scale architecture when using Ingest ActionsRegEx performance considerations ...

Announcing Our Splunk MVPs

We are excited to announce the first cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...