Splunk IT Service Intelligence

Send email only once after an episode is open for a period of time


I'm creating a number of correlation searches, and I'd like to be able to send an email ONLY when an episode has been open for more then X number of  minutes. 

If i go into the aggregation policy and set 'If this episode existed for X second(s)', then any event that is added to the episode after X seconds triggers an additional email, which potentially could be a lot of emails. I haven't been able to find a combination of settings that will just send an email once from the aggregation policy rules.

I considered the option to create an alert search for an episode that has been up for a certain period of time in a 'New' state, but I'd prefer for it to be built into the aggregation policy.

Anyone else hit something similar?

Labels (3)
0 Karma


I worked with Splunk Professional Services consultants for ITSI 4.4.5 and covered this example and another where if the episode was open for x time and the severity was high.  But the first event even being high did not satisfy the severity condition until the time did.  Then it took another event of "high" to meet the second after the the time.  But what if no other events arrive?  Consultants recommended submitting a enhancement request as this is the way the developer currently coded the application.  They have a lot of work on their ITSI solution to be more robust like HP OMi and other more advanced event monitoring systems.

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...