Splunk IT Service Intelligence

Why are notable events not appearing from my multi-KPI alert in IT Service Intelligence?

EricLloyd79
Builder

alt textI am pretty confused as I have created a very basic multi-KPI Alert that basically triggers if my KPI is at Normal status or Higher (and yes, it is) so I can see what it looks like when Notable Events appear.

Yet no events are appearing ... I have enabled the correlation search... Can anyone think of any other suggestions why it may not be triggering? I'm completely at a loss.

0 Karma
1 Solution

ssmoot_splunk
Splunk Employee
Splunk Employee

One thing to check is whether the correlation search is creating an event in itsi_tracked_alerts index, if there are no events, then run the correlation search manually and see if you get results for the timeframe in question. If there are events being created in itsi_tracked_alerts and you do not see Notable Events, try turning off the Event Grouping while in Notable Events Review. Click on the gear icon for View Settings, then select off for Event Grouping, once you hit Done, the ungrouped Notable Events should now be visible.

If this is the case, where ungrouped NE's are visible, but Grouped are not, check to see if Java is installed on the server per our docs:
https://docs.splunk.com/Documentation/ITSI/latest/Configure/DeploymentPlanning#Java_requirements

View solution in original post

ssmoot_splunk
Splunk Employee
Splunk Employee

One thing to check is whether the correlation search is creating an event in itsi_tracked_alerts index, if there are no events, then run the correlation search manually and see if you get results for the timeframe in question. If there are events being created in itsi_tracked_alerts and you do not see Notable Events, try turning off the Event Grouping while in Notable Events Review. Click on the gear icon for View Settings, then select off for Event Grouping, once you hit Done, the ungrouped Notable Events should now be visible.

If this is the case, where ungrouped NE's are visible, but Grouped are not, check to see if Java is installed on the server per our docs:
https://docs.splunk.com/Documentation/ITSI/latest/Configure/DeploymentPlanning#Java_requirements

EricLloyd79
Builder

Yes, all I needed to do was turn OFF Event Grouping. Can you explain why having it ON would prevent any events from appearing?

0 Karma

ssmoot_splunk
Splunk Employee
Splunk Employee

Event Grouping is used to gather like Notable events, which are stored in the itsi_tracked_alerts index. Having Event Grouping "On", searches the itsi_grouped_alerts index, however, without Java driving the NEAP engine that creates those events, the itsi_grouped_alerts index never populates.

Notable Events are stored in itsi_tracked_alerts
Notable Events that have been put into a group are maintained in itsi_grouped_alerts based on NEAP (Notable Event Aggregation Policy) For each group, there is a first/opening NE, and a last/closing NE

Having Event Grouping set to "On" searches the itsi_grouped_alerts index
Having Event Grouping set to "Off" searches the itsi_tracked_alerts index

0 Karma

EricLloyd79
Builder

Also please note that I had to install Java on my server that ITSI was installed on so it could do Notable Events Aggregation

0 Karma

EricLloyd79
Builder

I am literally running the searches from the Correlation Search config screen and it is returning results but refuses to put them into the Notable Events Review page, no matter what I do. What am I missing?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...