Re: itsi_event_grouping

salinasaritha · ‎08-14-2025

I have 2 alerts open alert and clear alert. both are triggering at different timestamps but they are unable to group into single episode. what is the root cause

livehybrid · ‎08-14-2025

Hi @salinasaritha

We will need a lot more information to be get to the bottom of this. How are you generating these alerts? Do these come from a Notable Event Aggregation Policy (NEAP) to group them? What steps have you taken so far to investigate this? Are both notables reaching the NEAP?

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

salinasaritha · ‎08-14-2025

Hi @livehybrid ,

yes they come from Notable Event Aggregation Policy (NEAP. they are reaching Neap and those are having common criteria as alertname and split by alertname in the neappolicy

skramp · ‎09-22-2025

Thanks for your request. As you have mentioned you have some alerts, I assume those alerts you can also find in the index itsi_tracked_alerts, right? If so, you want to "bundle" those alerts somehow by a specific criteria. You are right, therefore a NEAP is needed. You can ie say you want to bundle the same alerts by hostname. Do you already have a NEAP which should do this or what was your idea to archive this?

itsi_event_grouping

using ITSI

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

Join the Conversation