Overview of enrichment policies in ITSI

Enrichment policies in Splunk IT Service Intelligence enrich your alert data to improve incident resolution. These policies add meaningful metadata and contextual information—such as service topology, entity details, and maintenance windows—to your raw alerts, facilitating faster incident detection.

Enrichment policies leverage data from Configuration Management Databases (CMDBs), asset management tools, and dynamic service topologies.

Create an enrichment policy

Before you create an enrichment policy, ensure your data is properly configured and formatted for ingestion into Splunk ITSI.

  1. On the Data Integrations page, select Generic in the Enrichment policies section.

  2. Select Create mapping.

  3. Add a name and description to your policy.

  4. Specify the data source. Specify an existing lookup search, or use a new lookup by selecting a CSV file that will be parsed and imported to make lookup selections. Select Next.

  5. Select the fields you want to enrich, and mark the additional metadata that you want to add in order to enrich the alert. The field ID that you select is the lookup definition for the policy.

  6. Select Save.

Apply enrichment policies to data integrations

You can apply your new enrichment policy to an existing data integration in ITSI by selecting this policy as the source in the Configure alert enrichment section. After selecting your enrichment policy, you can view the match fields and enrichment fields.

View enriched alerts in Episode Review

You can view the additional data added to your alerts on the Episode Review dashboard. Select the Events Timeline tab to view any event changes or outages.