Splunk IT Service Intelligence

ITSI episodes and notables have duplicate field values (title, entity, identifier)


Hello Splunkers,


We have a new correlation search deployed to ingest a 3rd party (logicmonitor) system's alerts.  The long/short is, we have a script polling their API every minute and writing the events in JSON to an index.  Each alert is an individual event and they all have unique IDs.


The correlation search is super simple mapping severity and itsi_eventtype.   The following details are configured in the search:

Entity Lookup Field = ObjectName

(this is a field with the name of the object creating the alert, this maps to entities in ITSI and usually a hostname or IP)

Notable Event Title = %TemplateName%

(this is the field in the data showing the common rule that's triggered and how we group the events)

Severity = %severity%

(mapped using eval)

We then have an aggregation policy which matches the itsi_eventtype which is created using eval and then splits the notables by TemplateName field.

Everything is working, execpt the episodes / notable titles are duplicated (e.g. SQL Performance Alert SQL Performance Alert.  Where the TemplateName value would be "SQL Performance Alert").  This happens also for the impacted entities, event timeline event type, etc.)

Screen Shot 2020-12-29 at 2.01.58 PM.png


Not sure what's going on here, it seems only to impact this one correlation search, the only other correlation search comes from the kubernetes content pack and it works fine.


Thanks for any help!!  



Labels (1)
Tags (2)
0 Karma
Get Updates on the Splunk Community!

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...