Splunk ITSI

Splunk IT Service Intelligence: Are notable event aggregation policies stored in a .conf file?

earlhelms
Path Finder

Are Splunk IT Service Intelligence (ITSI) notable event aggregation policies stored in a .conf file? If so, where is it? the only thing that I see documented is how to view via the GUI.

0 Karma
1 Solution

mglauser_splunk
Splunk Employee
Splunk Employee

Hello,

ITSI Notable Event Aggregation Polices are stored in the KVStore. Collection related stanza is [itsi_notable_event_aggregation_policy] in
SPLUNK_HOME/etc/apps/SA-ITOA/default/collections.conf.

View solution in original post

mglauser_splunk
Splunk Employee
Splunk Employee

Hello,

ITSI Notable Event Aggregation Polices are stored in the KVStore. Collection related stanza is [itsi_notable_event_aggregation_policy] in
SPLUNK_HOME/etc/apps/SA-ITOA/default/collections.conf.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...