Splunk IT Service Intelligence
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are notable events not appearing from my multi-KPI alert in IT Service Intelligence?

EricLloyd79
Builder
‎09-13-2018 10:57 AM

alt textI am pretty confused as I have created a very basic multi-KPI Alert that basically triggers if my KPI is at Normal status or Higher (and yes, it is) so I can see what it looks like when Notable Events appear.

Yet no events are appearing ... I have enabled the correlation search... Can anyone think of any other suggestions why it may not be triggering? I'm completely at a loss.

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ssmoot_splunk
Splunk Employee
Splunk Employee
‎09-14-2018 10:36 AM

One thing to check is whether the correlation search is creating an event in itsi_tracked_alerts index, if there are no events, then run the correlation search manually and see if you get results for the timeframe in question. If there are events being created in itsi_tracked_alerts and you do not see Notable Events, try turning off the Event Grouping while in Notable Events Review. Click on the gear icon for View Settings, then select off for Event Grouping, once you hit Done, the ungrouped Notable Events should now be visible.

If this is the case, where ungrouped NE's are visible, but Grouped are not, check to see if Java is installed on the server per our docs:
https://docs.splunk.com/Documentation/ITSI/latest/Configure/DeploymentPlanning#Java_requirements

View solution in original post

Reply
Solved! Jump to solution
Solution

ssmoot_splunk
Splunk Employee
Splunk Employee
‎09-14-2018 10:36 AM

One thing to check is whether the correlation search is creating an event in itsi_tracked_alerts index, if there are no events, then run the correlation search manually and see if you get results for the timeframe in question. If there are events being created in itsi_tracked_alerts and you do not see Notable Events, try turning off the Event Grouping while in Notable Events Review. Click on the gear icon for View Settings, then select off for Event Grouping, once you hit Done, the ungrouped Notable Events should now be visible.

If this is the case, where ungrouped NE's are visible, but Grouped are not, check to see if Java is installed on the server per our docs:
https://docs.splunk.com/Documentation/ITSI/latest/Configure/DeploymentPlanning#Java_requirements

Reply
Solved! Jump to solution

EricLloyd79
Builder
‎09-14-2018 11:04 AM

Yes, all I needed to do was turn OFF Event Grouping. Can you explain why having it ON would prevent any events from appearing?

0 Karma
Reply
Solved! Jump to solution

ssmoot_splunk
Splunk Employee
Splunk Employee
‎09-14-2018 01:10 PM

Event Grouping is used to gather like Notable events, which are stored in the itsi_tracked_alerts index. Having Event Grouping "On", searches the itsi_grouped_alerts index, however, without Java driving the NEAP engine that creates those events, the itsi_grouped_alerts index never populates.

Notable Events are stored in itsi_tracked_alerts
Notable Events that have been put into a group are maintained in itsi_grouped_alerts based on NEAP (Notable Event Aggregation Policy) For each group, there is a first/opening NE, and a last/closing NE

Having Event Grouping set to "On" searches the itsi_grouped_alerts index
Having Event Grouping set to "Off" searches the itsi_tracked_alerts index

0 Karma
Reply
Solved! Jump to solution

EricLloyd79
Builder
‎09-14-2018 12:16 PM

Also please note that I had to install Java on my server that ITSI was installed on so it could do Notable Events Aggregation

0 Karma
Reply
Solved! Jump to solution

EricLloyd79
Builder
‎09-13-2018 01:28 PM

I am literally running the searches from the Correlation Search config screen and it is returning results but refuses to put them into the Notable Events Review page, no matter what I do. What am I missing?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...