Re: ITSI Episodes Data Inconsistent

krunoslav · ‎09-01-2020

Hello,

When fetching the episodes from ITSI via REST (https://hostname:8089/servicesNS/fsspl06/itsi/event_management_interface/notable_event_group?filter={"status":"1","severity":{"$gte":"3"}}) a list of several episodes with status "New" is obtained. However, in the ITSI GUI, in the Episode Review tab, a search for all new episodes over all time returns no results. How is this possible? Any clues on how to debug this? Thanks

eduncan · ‎09-02-2020

If you are sure that even in the itsi_summary index that the groupid's for the ones retrieved via rest are NOT there, then I'd open a support case.

eduncan · ‎09-01-2020

Need more info on your filter. What is set for Status Filter and Severity Filter?

krunoslav · ‎09-01-2020

In ITSI GUI the Status is set to New and the severity is not set

eduncan · ‎09-01-2020

Also if you search the. index=itsi_grouped_alerts do you see the groupID of the same episodes you got from the REST API?

krunoslav · ‎09-01-2020

No, the episodes returned via REST are not found in the index.

ITSI Episodes Data Inconsistent

troubleshooting

using ITSI

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Join the Conversation