Is there a way to configure correlation search for...

kecarste99 · ‎04-24-2019

Is there a way to be able to configure Maintenance Windows for Services to include all Episodes without adding each service to “Association” in the correlation search? The problem with doing that is every Service in the Association appears in the Episode under “IMPACTED SERVICES AND KPIS”.

We need to be able to do the following:

Have a correlation search include notable events for multiple services
Configure Maintenance Windows for Services and have Episodes for the service included in the maintenance window
Not have to ‘Associate’ each service in the correlation search that includes multiple services

skoelpin · ‎04-25-2019

Another approach you can take.. You can add the extra logic in your aggregation policy which looks for the in_mm field and if it has a value of 1 then automatically break episodes. So you would still create notable events during a MM window, but they would not roll up into episodes or be visible by your end users. Once that in_mm field goes back to zero then episodes will then start to roll up

dlm · ‎02-24-2022

We are having the same issue. We have a nagios correlation search for multiple teams. Each team have about 20+ services. There are Parent services but I was told the parent service won't include the children. So how do you put the services on the correlation search. That's over 100 services... I saw where you talked about doing the NEAP. What do you need to add to the correlation search to get the in_maintenance or this said in_mm field to show as a field so you can have it available to use in the NEAP.

Thanks

Is there a way to configure correlation search for multiple services for Maintenance Windows?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life