Overview of notable events in ITSI

A notable event is the foundational unit of the IT Service Intelligence (ITSI) Event Analytics functionality. A notable event is a stored alert with a unique ID, time, status, severity, and owner. Notable events are typically generated by a correlation search, but they can also be directly fed into the system by anomaly detection or other REST sources.

Notable events are fed into the Event Analytics Rules Engine to create episodes and trigger episode actions. For more information about how the Rules Engine functions, see About the ITSI Rules Engine.

Splunk IT Service Intelligence (ITSI) implements custom indexes for notable event storage. In a single instance deployment, the installation of ITSI creates the indexes in $SPLUNK_HOME/var/lib/splunk.

The following table lists the indexes used to store notable event and episode metadata:

Index Description
itsi_tracked_alerts Stores active raw notable event data.
itsi_notable_audit Stores all audit events for episodes, including actions, comments, status change, and owner change.
itsi_grouped_alerts Stores active episode data.
itsi_notable_archive Stores episode tags that have been moved from the KV store after a default 6 month retention period, which begins when you close an episode in the UI. Moving data from the KV store removes extraneous data and helps improve performance.

CAUTION: ITSI uses an indexed real-time search to retrieve notable events from the Splunk platform. Indexed real-time searches have a delay of about 90 seconds before events get processed. Using concurrent real-time search instead of indexed real-time search is not supported for the itsi_event_grouping search because it significantly impacts system performance.