Splunk ITSI
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are notable events not appearing from my multi-KPI alert in IT Service Intelligence?

EricLloyd79
Builder
‎09-13-2018 10:57 AM

alt textI am pretty confused as I have created a very basic multi-KPI Alert that basically triggers if my KPI is at Normal status or Higher (and yes, it is) so I can see what it looks like when Notable Events appear.

Yet no events are appearing ... I have enabled the correlation search... Can anyone think of any other suggestions why it may not be triggering? I'm completely at a loss.

Preview file
210 KB
Preview file
228 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ssmoot_splunk
Splunk Employee
Splunk Employee
‎09-14-2018 10:36 AM

One thing to check is whether the correlation search is creating an event in itsi_tracked_alerts index, if there are no events, then run the correlation search manually and see if you get results for the timeframe in question. If there are events being created in itsi_tracked_alerts and you do not see Notable Events, try turning off the Event Grouping while in Notable Events Review. Click on the gear icon for View Settings, then select off for Event Grouping, once you hit Done, the ungrouped Notable Events should now be visible.

If this is the case, where ungrouped NE's are visible, but Grouped are not, check to see if Java is installed on the server per our docs:
https://docs.splunk.com/Documentation/ITSI/latest/Configure/DeploymentPlanning#Java_requirements

View solution in original post

Reply
Solved! Jump to solution
Solution

ssmoot_splunk
Splunk Employee
Splunk Employee
‎09-14-2018 10:36 AM

One thing to check is whether the correlation search is creating an event in itsi_tracked_alerts index, if there are no events, then run the correlation search manually and see if you get results for the timeframe in question. If there are events being created in itsi_tracked_alerts and you do not see Notable Events, try turning off the Event Grouping while in Notable Events Review. Click on the gear icon for View Settings, then select off for Event Grouping, once you hit Done, the ungrouped Notable Events should now be visible.

If this is the case, where ungrouped NE's are visible, but Grouped are not, check to see if Java is installed on the server per our docs:
https://docs.splunk.com/Documentation/ITSI/latest/Configure/DeploymentPlanning#Java_requirements

Reply
Solved! Jump to solution

EricLloyd79
Builder
‎09-14-2018 11:04 AM

Yes, all I needed to do was turn OFF Event Grouping. Can you explain why having it ON would prevent any events from appearing?

0 Karma
Reply
Solved! Jump to solution

ssmoot_splunk
Splunk Employee
Splunk Employee
‎09-14-2018 01:10 PM

Event Grouping is used to gather like Notable events, which are stored in the itsi_tracked_alerts index. Having Event Grouping "On", searches the itsi_grouped_alerts index, however, without Java driving the NEAP engine that creates those events, the itsi_grouped_alerts index never populates.

Notable Events are stored in itsi_tracked_alerts
Notable Events that have been put into a group are maintained in itsi_grouped_alerts based on NEAP (Notable Event Aggregation Policy) For each group, there is a first/opening NE, and a last/closing NE

Having Event Grouping set to "On" searches the itsi_grouped_alerts index
Having Event Grouping set to "Off" searches the itsi_tracked_alerts index

0 Karma
Reply
Solved! Jump to solution

EricLloyd79
Builder
‎09-14-2018 12:16 PM

Also please note that I had to install Java on my server that ITSI was installed on so it could do Notable Events Aggregation

0 Karma
Reply
Solved! Jump to solution

EricLloyd79
Builder
‎09-13-2018 01:28 PM

I am literally running the searches from the Correlation Search config screen and it is returning results but refuses to put them into the Notable Events Review page, no matter what I do. What am I missing?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...