Splunk IT Service Intelligence
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are ITSI Impacted Entities are not showing up in the Episode Review?

iamsplunker
Communicator
‎04-10-2023 01:20 PM

Hi ,I've created the correlation search for problem notifications and defined/enabled the entities in the search also defined the entities in the service. The search is generating notable events. However the impacted entities are not showing up.

Please advise on the next steps what to verify/check to see this in the Episode Review.

iamsplunker_0-1681157772407.png

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

srauhala_splunk
Splunk Employee
Splunk Employee
‎04-17-2023 06:04 AM

Hi! are the field entity_title used in the notable events / episodes? 

View solution in original post

Reply
Solved! Jump to solution

merrelr
Path Finder
‎04-04-2024 11:20 AM

My Episodes didn't have any "Impacted entities" until I enabled the correlation search "Service Monitoring - Entity Degraded"

0 Karma
Reply
Solved! Jump to solution

STancredi
Loves-to-Learn
‎10-04-2023 05:13 AM

So I am experiencing this same issue as well, what would be the best way to add entity_title into a search or incorporate the field into the notable event/episodes?

0 Karma
Reply
Solved! Jump to solution

srauhala_splunk
Splunk Employee
Splunk Employee
‎10-04-2023 06:23 AM

Hi @STancredi

Are you using services in ITSI? in that case you should already have the entity_title and serviceid in the itsi_summary index. Just do not remove them in your correlation search.

/Seb  

0 Karma
Reply
Solved! Jump to solution

STancredi
Loves-to-Learn
‎10-04-2023 08:00 AM

Correct, my environment is currently utilizing services.

I do see the entity_title and serviceid within the index, so thats a good thing at least. The only correlation search we have enabled right now only utilizes entity_title apparently (I did not set these up) as its Entity Lookup field . I also reviewed our notable event aggregation policies and noticed that the only ones enabled reference the serviceid, but not entity_title. We're currently having alerts/episodes generated by the Splunk App for Infrastructure (for normalization) and a different aggregator. Neither show the Impacted Entities. Im guessing something isnt configured properly in either of them to have that data show; OR my entities are messed up.

0 Karma
Reply
Solved! Jump to solution

iamsplunker
Communicator
‎04-19-2023 10:58 AM

I added entity_title to my search. The impacted entities are now showing up.

Thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

srauhala_splunk
Splunk Employee
Splunk Employee
‎04-17-2023 06:04 AM

Hi! are the field entity_title used in the notable events / episodes? 

Reply
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...