Splunk IT Service Intelligence

Multiple Remedy Tickets are getting generated for the Episode having multiple notables


We are facing some issue while creating ticket,

For the first run of correlation, notable events are generating and grouping it into Episode, however, Its creating multiple(for each events in the episode) tickets for the episode at the first time, from the second run notables are getting duplicated into the episode, all the new notables are getting updated to the ticket which created with first alert in the episode in the first run of correlation search.

Please let us know if it’s known behavior, if yes what is the logic behind it? or any specific setting/fields needs to be modified while raising the tickets raising tickets ?

Labels (1)
Tags (3)
0 Karma

Splunk Employee
Splunk Employee

Make sure that in the corr search you have the Notable Event Identifier fields set and not just leaving it at 'source'.  These fields are used to identify the NE as unique.  For instance you might want to use %host%%eventtype%%Message%.  This will let ITSI know that the NE is the exact same one as one already created and it will prevent duplicates.

When wanting to create a Remedy ticket you will want to make sure that in the Action tab of the Aggregation policy you choose something like When this event occurs:  Severity greater than or equal to Medium, and then the action will be to create an event.  Agg policies create 1 ticket per episode, not per NE.

0 Karma
Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...