Splunk ITSI
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are ITSI Impacted Entities are not showing up in the Episode Review?

iamsplunker
Communicator
‎04-10-2023 01:20 PM

Hi ,I've created the correlation search for problem notifications and defined/enabled the entities in the search also defined the entities in the service. The search is generating notable events. However the impacted entities are not showing up.

Please advise on the next steps what to verify/check to see this in the Episode Review.

iamsplunker_0-1681157772407.png

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

srauhala_splunk
Splunk Employee
Splunk Employee
‎04-17-2023 06:04 AM

Hi! are the field entity_title used in the notable events / episodes? 

View solution in original post

Reply
Solved! Jump to solution

proyleJDS
Path Finder
‎08-04-2024 11:48 PM

I was having the same trouble, even after adding the entity_title field to my correlation search. I fixed it by also adding the entity_key field.

0 Karma
Reply
Solved! Jump to solution

merrelr
Path Finder
‎04-04-2024 11:20 AM

My Episodes didn't have any "Impacted entities" until I enabled the correlation search "Service Monitoring - Entity Degraded"

0 Karma
Reply
Solved! Jump to solution

STancredi
Loves-to-Learn
‎10-04-2023 05:13 AM

So I am experiencing this same issue as well, what would be the best way to add entity_title into a search or incorporate the field into the notable event/episodes?

0 Karma
Reply
Solved! Jump to solution

srauhala_splunk
Splunk Employee
Splunk Employee
‎10-04-2023 06:23 AM

Hi @STancredi

Are you using services in ITSI? in that case you should already have the entity_title and serviceid in the itsi_summary index. Just do not remove them in your correlation search.

/Seb  

0 Karma
Reply
Solved! Jump to solution

STancredi
Loves-to-Learn
‎10-04-2023 08:00 AM

Correct, my environment is currently utilizing services.

I do see the entity_title and serviceid within the index, so thats a good thing at least. The only correlation search we have enabled right now only utilizes entity_title apparently (I did not set these up) as its Entity Lookup field . I also reviewed our notable event aggregation policies and noticed that the only ones enabled reference the serviceid, but not entity_title. We're currently having alerts/episodes generated by the Splunk App for Infrastructure (for normalization) and a different aggregator. Neither show the Impacted Entities. Im guessing something isnt configured properly in either of them to have that data show; OR my entities are messed up.

0 Karma
Reply
Solved! Jump to solution

iamsplunker
Communicator
‎04-19-2023 10:58 AM

I added entity_title to my search. The impacted entities are now showing up.

Thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

srauhala_splunk
Splunk Employee
Splunk Employee
‎04-17-2023 06:04 AM

Hi! are the field entity_title used in the notable events / episodes? 

Reply
Get Updates on the Splunk Community!

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...

Out of the Box to Up And Running - Streamlined Observability for Your Cloud ...

  Tech Talk Streamlined Observability for Your Cloud Environment Register    Out of the Box to Up And Running ...

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...