Splunk IT Service Intelligence

Why are ITSI Impacted Entities are not showing up in the Episode Review?

iamsplunker
Communicator

Hi ,I've created the correlation search for problem notifications and defined/enabled the entities in the search also defined the entities in the service. The search is generating notable events. However the impacted entities are not showing up.

Please advise on the next steps what to verify/check to see this in the Episode Review.

iamsplunker_0-1681157772407.png

 

Labels (1)
0 Karma
1 Solution

srauhala_splunk
Splunk Employee
Splunk Employee

Hi! are the field entity_title used in the notable events / episodes? 

View solution in original post

STancredi
Observer

So I am experiencing this same issue as well, what would be the best way to add entity_title into a search or incorporate the field into the notable event/episodes?

0 Karma

srauhala_splunk
Splunk Employee
Splunk Employee

Hi @STancredi

Are you using services in ITSI? in that case you should already have the entity_title and serviceid in the itsi_summary index. Just do not remove them in your correlation search.

/Seb  

0 Karma

STancredi
Observer

Correct, my environment is currently utilizing services.

I do see the entity_title and serviceid within the index, so thats a good thing at least. The only correlation search we have enabled right now only utilizes entity_title apparently (I did not set these up) as its Entity Lookup field . I also reviewed our notable event aggregation policies and noticed that the only ones enabled reference the serviceid, but not entity_title. We're currently having alerts/episodes generated by the Splunk App for Infrastructure (for normalization) and a different aggregator. Neither show the Impacted Entities. Im guessing something isnt configured properly in either of them to have that data show; OR my entities are messed up.

0 Karma

iamsplunker
Communicator

I added entity_title to my search. The impacted entities are now showing up.

Thanks!

0 Karma

srauhala_splunk
Splunk Employee
Splunk Employee

Hi! are the field entity_title used in the notable events / episodes? 

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...