Splunk IT Service Intelligence
Highlighted

Custom Alert Action in ITSI

New Member

I created a custom alert action in Splunk Enterprise. When I try to use that action in ITSI for a correlated search, I don't see it as an option. How do I utilize my customer alert action inside ITSI?

Labels (2)
0 Karma
Highlighted

Re: Custom Alert Action in ITSI

Contributor

Is the new alert action a modular alert?

0 Karma
Highlighted

Re: Custom Alert Action in ITSI

New Member

Yes, it is.

0 Karma
Highlighted

Re: Custom Alert Action in ITSI

New Member

I used this as a reference. I have it running OK in Enterprise. I just want to reuse the action from ITSI.
https://docs.splunk.com/Documentation/Splunk/8.0.2/AdvancedDev/ModAlertsIntro

0 Karma
Highlighted

Re: Custom Alert Action in ITSI

Explorer

Using custom alert actions in ITSI is a little different than in ES. If you wish to use a custom alert action for an event generated by a correlation search, you have to set it up as an action rule on an aggregation policy. You also have to configure the custom alert action in a conf file to be selectable as an action against an event. Parameters to invoke the action are configured as part of the policy.

There’s not a whole lot of documentation on this, but there is some to help you get started on docs.

Edit*** I would also like to add that you could technically just use your custom alert action from ES on ITSI events and episodes. Episode information is indexed in itsigroupedalerts and notable events are indexed in itsitrackedalerts. If the SHC with itsi installed is running from the same indexer cluster as your deployment of ES, you can search the itsi internal indexes from ES as well.

0 Karma