Automate event correlation with Event iQ in ITSI

Automatically group alerts into episodes

Event iQ in IT Service Intelligence (ITSI) uses machine learning algorithms to compare field values and correlate notable events into episodes. Instead of defining manual attributes to correlate events, you can automatically identify the correct attributes to use in your grouping policies. After you onboard alerts to ITSI, you can set criteria to filter alerts, and use Event iQ to create your event correlation policies based on an analysis of historical event data. Additionally, configure episode actions to run based on defined criteria.

Using Event iQ in your workflow helps you quickly set up automated alert monitoring, reduce alert noise, and execute event actions. Additionally, algorithms can be continuously tuned to fit your environment's alerting needs.

Apply Event iQ to an aggregation policy

  • ITSI requires Java version 8 or higher to run notable event management features.
Apply EventIQ to an existing notable event aggregation policy in order to set up automated alert monitoring.
  1. From the ITSI main menu, select Configuration then Event Management then Notable Event Aggregation Policies.
  2. Select an existing policy to apply Event iQ. Otherwise, select Create policy to create a new event aggregation policy.
  3. Generate the suggested group by fields in the Filtering Criteria and Instructions section. Specify a field name and value for the episode policy to detect. Any notable events that match the filtering criteria and apply to the policy will be selected by the policy. Use an AND clause to add additional rules to the rule block, or add an OR clause to start a new rule block.
  4. Activate the Event iQ toggle. Set the analysis window that the algorithm will use to generate the suggested grouping fields based on a historical analysis of your alert data. Choose an analysis window that generates enough data for the algorithm to analyze.
  5. Select the Run analysis button to display aggregation fields generated by the Event iQ algorithm. After receiving recommendations, selectAdvanced settings to view the specific fields.
  6. (Optional) After configuring a rule, select Preview results to preview the alerts that will be generated by the conditions you set.
  7. (Optional) After the grouping fields are generated, set advanced settings to update the ranking of the fields by level of importance. The Event iQ algorithm will generate an initial ranking of fields, but you can make changes to that initial ranking.
  8. Set criteria for when to create a new episode in the Break episode section. When the breaking criteria are met, the current episode can no longer have any events added to it, and a new episode starts with the next notable event. For example, you might enter, Break episode if the following event occurs: message matches *status Normal. This rule breaks an episode once it receives a normal notable event, indicating the problem is resolved.
  9. Set how you want information about each episode to display in the Episode information section. Select settings for details such as the episode's severity, event type, status, and other criteria that will display on the Episode Review dashboard.
Episodes generated using an Event iQ policy are denoted with a special symbol on the Alerts and Episodes dashboard. The episode's title also displays the top three fields used to by the Event iQ policy to group alerts into an episode. You can view the fields used to generate the episode on the Common Fields tab in the episode details.