Splunk IT Service Intelligence

Splunk ITSI Alerting-is a way to trigger a notable event, when the status is critical,?

nouraali
Explorer
hello,
 
Q1
While configuring #splunk_itsi KPI, under the thresholding section there is an option to Enable KPI Alerting.
As below, the notable event is created when the severity changes from any lower level to critical.
nouraali_0-1652271501179.png

 

My question is that if there is a way to trigger a notable event, when the status is critical, regardless of the state it was before.
In other words, when the severity remains critical from the 1st check point to the second check point, i need a notable event to be created in this case as well, is that possible ?.
 
Q2
After configuring #splunk_itsi correlation search as described here , i wasn't able to see notable events created in the episode review.
I have already configured the search in the correlation search, and added associated services, so the final search is as below:
index="itsi_summary" kpi IN ("SH * RAM Static","SH * CPU Adaptive","SH * CPU Static","SH * RAM Adaptive","SH * SWAP") alert_level>1
| `filter_maintenance_services("400f819c-f739-4ffc-a25c-86d48362fef8,917c4030-a422-4645-851e-a5b2b5c7f3cd,7fb610b4-15f2-4d21-b035-b4857c9effef,28aa0103-fb41-4382-ab07-c637c16d3d85,bfe94d80-daf5-43b8-8318-dc881fd30128,b3c8562a-d1d6-465a-b0c7-4a28ba7f4612,225e7eb6-2f7c-4f0f-9221-75b1e8471053,a0826af0-2100-44a4-9b51-558bff966bb7,dcb38bc4-e930-4776-92a8-5de0d50cdc5e,721cb2c5-43fa-4419-9dde-a33a467d7770,328b9170-18d3-4b50-9968-01b1e087f955")`
When i run the search it returns the events, so i am not expecting something wrong in the search query.
What am i missing, in order to get the notable events visible in the episodes review tab?
 
Appreciate your help.
Labels (1)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...