That's quite easy. Every Episode has an ID, so you can build a link like https://yoursplunkinstance/en-US/app/itsi/itsi_event_management?episodeid=abc25865-33b3-484b-bd45-5dd2ff254be7  ... View more

first, you should avoid using stats commands while creating KPIs, sometimes it's not possible but in this case you can do all the stats-magic in the KPI calculation. After this, your alarms will be in the index itsi_tracked_alerts. When you have those alerts, they must be put into Episode(s) by a Notable Event Aggregation Policy. With this NEAP you bundle events by a specific criteria. And when you process events you can also trigger something by this NEAP like sending a email. You can use a lookup to figure out, which email should be used ie by hostname or department or whatever. ... View more

I think this is more or less a description of design problems. Maybe you can post this in https://ideas.splunk.com/ to ask if this could be changed. ... View more

Thanks for your request. As you have mentioned you have some alerts, I assume those alerts you can also find in the index itsi_tracked_alerts, right? If so, you want to "bundle" those alerts somehow by a specific criteria. You are right, therefore a NEAP is needed. You can ie say you want to bundle the same alerts by hostname. Do you already have a NEAP which should do this or what was your idea to archive this? ... View more

Hi, Splunk and ITSI licenses must be the same type, like prod, dev or test. So I assume while both are NFR they are the same type. You have installed the "ITSI license checker" out of the itsi-package on your license server? ... View more

Yes, you should edit your Entity Search by implementing a new Info field like "location" which is filled ie by rex. ... View more

As mentioned, ITEW is the same package as ITSI but it feels like you can only use 10% of it for free without buying a license. ... View more

You can Download IT Essentials Work, it's an ITSI without a license. But you can upgrade it to a full ITSI if you insert a license once. https://splunkbase.splunk.com/app/5403 ... View more

There are some apps on splunkbase which might help you: https://splunkbase.splunk.com/app/7384 https://splunkbase.splunk.com/app/6724   ... View more

if you are in the episode you’ll see by which notable event aggregation policy your episode is created. Were both created by the same NEAP? When you take a look into the timeline in each of your episode you‘ll also see what’s alerted. Could it be you have different Episodes because you have a notable event for KPI and for the service health score? Maybe your KPI has a critical status and your service is middle because you have a second KPI in your service and they are both weighted with 5? ... View more

I wouldn’t do it with the multi KPi alert. If you install the content pack for monitoring and alerting in ITSI there will be some new correlation searches which are monitoring a sustained status for Entities or KPIs or services. This searches can be modified if needed. ... View more

This post is old but unanswered. I did it this way:  index=itsi_grouped_alerts | lookup itsi_notable_group_user_lookup event_identifier_hash as itsi_group_id | search status=1 ... View more

In this case it is asking for an „Episode State“. Do you try to set episode state by an info in the event? ... View more

Take a look into the index itsi_grouped_alerts and try to find your alert which should fire the alert action. Check if you can find the field you are referring to in this event and if there is content. ... View more

As far as I know the only way is to build this by yourself. An idea would be to establish this with a correlation search which detects the change, will create a notable event which will be added to the episode because the neap will fetch it and trigger the event you want to have. As a common way to do this, this event should have a specific field like send_email=yes and email_content=>YOURCINTENT< so you can use this field as trigger and preconfigured the content of your email. ... View more

Hi,   maybe you are searching for this: https://docs.splunk.com/Documentation/Splunk/9.3.1/Alert/EmailNotificationTokens   please take also a look into index=_internal if there is a hint why your emails aren’t send. Have you tried if a normal spl query with the command „sendemail“ works? Email server settings are correct?  ... View more

haha, so you are the same one, awesome! ... View more

maybe |getservice can also help 😉 |getservice    ... View more

Hi @isoscow , I am doing this regulary, I create a new event with a correlation search which is added to my episode. In this event there are new fields with the value I want to send to my ticketing system. My Action Rule in my NEAP reacts on this fields. Here is also the conf talk Peter Zumbrink and I did this year at .conf24 where we are telling how we are doing this: https://conf.splunk.com/watch/conf-online.html?search=OBS1137C#/ ... View more

There is a project on github for doing bulk editing called itsi_toolbox, maybe this can help. But be careful, it's not an official tool which is supported by splunk and you can destroy your whole itsi very easy and fast! ... View more

A few days ago I've seen someone in the Slack Usergroup who also had a problem with ITSI 4.18.1, but just on one of his environments. Can you explain your error a little more specific, do you get an error message or does Splunk only tells you there is no content in your csv? Can you please try to import your csv on a different Splunk environment, maybe which is in a different version? Just to check. ... View more

Hi, take a look at the command | getservice , with this command you'll be able to create a table with all the data you need and export it as csv. ... View more

If you have the episodeID, you can link directly to it: https://YOURSPLUNKSERVER:8000/en-US/app/itsi/itsi_event_management?earliest=-7d%40h&latest=now&form.earliest_time=-7d%40h&form.latest_time=now&episodeid=YOUREPISODEID Please be aware of the time span, if episode is older than 7d it won't be found because in THIS link -7d is set. ... View more

was awesome, like it to talk to the experts and discussing about everything around ITSI! ... View more

do you see something in _internal regarding the execution of the script? What about other scripts, if you create a new action rule with a different script, does this work or are all scripts failing? ... View more