ITSI - Episode Review - 1 KPI

arthurva · ‎02-21-2019

I'm very new to Splunk and ITSI. We have created a service for VMware VMs. The Service has several KPIs like memory and CPU. A few of the VMs have CPUs in Critical status. Episode Review shows 0 episodes. Is it possible to have the specific servers show up in Episode Review?

chrisyounger · ‎02-21-2019

By default, these won't create episodes.

There is a great blog series that will show you how to configure the alerting for ITSI:

https://www.splunk.com/blog/2019/01/18/a-blueprint-for-splunk-itsi-alerting-step-1.html

https://www.splunk.com/blog/2019/02/01/a-blueprint-for-splunk-itsi-alerting-step-2.html

https://www.splunk.com/blog/2019/02/08/a-blueprint-for-splunk-itsi-alerting-step-3.html

https://www.splunk.com/blog/2019/02/14/a-blueprint-for-splunk-itsi-alerting-step-4.html

Hope this helps,
Chris.

arthurva · ‎02-22-2019

I'm stuck doing something on the first link.

...but we’re going to wind up modifying it slightly so we’ll duplicate the existing rule and make our modifications to the copy...

How do you duplicate it? I don't see that option.

szhou_splunk · ‎03-02-2019

There is an "Edit" dropdown in "Actions" column and you can click "Clone" from the dropdown to duplicate it.
Generally, in order to show these events in Episode Review, you need to create some of correlation searches that generate the events, and use Notable Event Aggregation Policy (Under Configuration dropdown manual) to include these events for that Policy, then you will see these events(got grouped into Episode by similarity) in Episode Review.

arthurva · ‎02-21-2019

I'll start reading them. Thank you.

ITSI - Episode Review - 1 KPI

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases