Are Splunk IT Service Intelligence (ITSI) notable event aggregation policies stored in a .conf file? If so, where is it? the only thing that I see documented is how to view via the GUI.
ITSI Notable Event Aggregation Polices are stored in the KVStore. Collection related stanza is [itsi_notable_event_aggregation_policy] in
View solution in original post