Splunk ITSI

Why are ITSI Impacted Entities are not showing up in the Episode Review?

iamsplunker
Communicator

Hi ,I've created the correlation search for problem notifications and defined/enabled the entities in the search also defined the entities in the service. The search is generating notable events. However the impacted entities are not showing up.

Please advise on the next steps what to verify/check to see this in the Episode Review.

iamsplunker_0-1681157772407.png

 

Labels (1)
0 Karma
1 Solution

srauhala_splunk
Splunk Employee
Splunk Employee

Hi! are the field entity_title used in the notable events / episodes? 

View solution in original post

proyleJDS
Path Finder

I was having the same trouble, even after adding the entity_title field to my correlation search. I fixed it by also adding the entity_key field.

0 Karma

merrelr
Path Finder

My Episodes didn't have any "Impacted entities" until I enabled the correlation search "Service Monitoring - Entity Degraded"

0 Karma

STancredi
Loves-to-Learn

So I am experiencing this same issue as well, what would be the best way to add entity_title into a search or incorporate the field into the notable event/episodes?

0 Karma

srauhala_splunk
Splunk Employee
Splunk Employee

Hi @STancredi

Are you using services in ITSI? in that case you should already have the entity_title and serviceid in the itsi_summary index. Just do not remove them in your correlation search.

/Seb  

0 Karma

STancredi
Loves-to-Learn

Correct, my environment is currently utilizing services.

I do see the entity_title and serviceid within the index, so thats a good thing at least. The only correlation search we have enabled right now only utilizes entity_title apparently (I did not set these up) as its Entity Lookup field . I also reviewed our notable event aggregation policies and noticed that the only ones enabled reference the serviceid, but not entity_title. We're currently having alerts/episodes generated by the Splunk App for Infrastructure (for normalization) and a different aggregator. Neither show the Impacted Entities. Im guessing something isnt configured properly in either of them to have that data show; OR my entities are messed up.

0 Karma

iamsplunker
Communicator

I added entity_title to my search. The impacted entities are now showing up.

Thanks!

0 Karma

srauhala_splunk
Splunk Employee
Splunk Employee

Hi! are the field entity_title used in the notable events / episodes? 

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...