Network Event Intelligence with Splunk IT Service Intelligence

2 minutes   Authors Chris Putnam, Sam Scudere-Weiss, & Tim Hard

Welcome!

This hands-on workshop is designed specifically for anyone looking to effectively demonstrate and position the power of IT Service Intelligence (ITSI) for Network Event Intelligence use cases. Participants will gain practical experience integrating these platforms, focusing on real-world scenarios and use cases that resonate with potential clients. The workshop emphasizes the correlation of multiple sources across the Cisco Networking portfolio and 3rd party monitoring solutions, enabling Solution Architects to confidently showcase how Splunk can address the critical customer challenge of effective network event correlation.

Introduction and Overview

In today’s complex IT landscape, ensuring the performance and availability of applications and services is paramount. This workshop will introduce you to a powerful combination of tools including Cisco Catalyst Center, Solarwinds, Splunk Enterprise, and Splunk IT Service Intelligence (ITSI) that work together to provide comprehensive monitoring and alerting capabilities.

The Challenge of Modern Network Observability

Modern enterprise networks span an ever-growing mix of vendors and platforms ranging from Cisco solutions like Cisco Catalyst Center, Meraki, ThousandEyes to 3rd-party tools like SolarWinds, HPE Aruba Networking, and Palo Alto Networks. Each generates its own alerts, in its own format, delivered through its own console. When a network event occurs, operations teams are left manually hunting across disconnected tools to piece together what happened, where it started, and which services or users are affected. Without a common correlation layer, alert noise is high, investigation is slow, and the business impact of network incidents remains invisible until customers start calling.

The Solution: Network Event Intelligence

A comprehensive Network Intelligence strategy requires integrating data from various sources and correlating it to gain actionable insights. This workshop will demonstrate how the Splunk Platform and ITSI work together to achieve this.

  • Cisco Enterprise Networks: Provides top datasources from the Cisco Data Fabric such as Catalyst Center, Meraki, and ThousandEyes.

  • Splunk: Acts as the central platform for log analytics and the collection and correlation of data from any source, enabling powerful search, visualization, and correlation capabilities. Splunk provides a holistic view of your IT environment.

  • Splunk IT Service Intelligence (ITSI): Provides service intelligence by correlating data from all the other platforms. ITSI allows you to define services, map dependencies, and monitor Key Performance Indicators (KPIs) that reflect the overall health and performance of those services. ITSI is essential for understanding the business impact of IT issues.

Workshop Objectives

By the end of this workshop, you will have configured

  • ITSI to monitor network health from multiple locations using data from Cisco Catalyst Center
  • Inbound notifications from both Catalyst Center and Solarwinds for correlating alerts
  • Correlated episodes using notifications from both Catalyst Center and Solarwinds
  • Episodes that automatically resolve when the health of degraded services return to normal
Tip

The easiest way to navigate through this workshop is by using:

  • the left/right arrows (< | >) on the top right of this page
  • the left (◀️) and right (▶️) cursor keys on your keyboard
Last Modified May 4, 2026

Subsections of Network Event Intelligence

Getting Started

2 minutes   Authors Chris Putnam, Sam Scudere-Weiss, & Tim Hard

Accessing your Workshop

Prior to this workshop you should have been provided details for accessing your workshop instance. This workshop utilizes a preconfigured environment which includes Splunk Enterprise and IT Service Intelligence. A link to the instance and the credentials are available in the Splunk Show instance details.

All of the data required for completing this workshop is available in the netops index. This index includes data from Catalyst Center, Merkai, and alerts from Solarwinds.

An automated break scenario runs on a 30 minute cycle. The Catalyst Center sites will be healthy for 15 minutes, followed by 15 minutes of degraded performance. While the environment is unhealthy, Issues and Alerts are generated from Catalyst Center and Solarwinds.

The majority of this workshop will be completed in IT Service Intelligence, so unless otherwise stated, navigation steps will start from there.

Access your workshop instance

1. Login to the Splunk instance using the URL and credentials provided in your Splunk Show workshop details.

2. Navigate to Apps -> IT Service Intelligence.

The first time you open ITSI you may have to dismiss the Getting Started Modal (after reading all of the important information, of course)

ITSI Getting Started Modal ITSI Getting Started Modal

Getting Data In

While this workshop is using datagen to provide a consistent scenario, in a real environment the following Splunk Apps and Add-ons are required for implementing the use cases covered in this workshop.

1. Cisco Catalyst Add-on for Splunk

The Cisco Catalyst Add-on for Splunk collects data for different Cisco Products - Cisco Identity Services Engine, Cisco SD-WAN, Cisco Catalyst Center, and Cisco Cyber Vision. The add-on parses the data from these sources and stores them into the Splunk indexes.

2. Splunk App for Content Packs

The Splunk App for Content Packs includes prepackaged content that helps with quick setup for your IT Service Intelligence (ITSI) environments. This prepackaged content consists of KPI Base searches, ITSI Glass Tables, templates, and other objects.

Info

This workshop uses the Content Pack for Cisco Enterprise Networks which allows you to automatically import services using the topology information provided by the Cisco Catalyst Add-on for Splunk.

3. SolarWinds Add-on for Splunk (Optional)

The SolarWinds Add-on for Splunk collects SolarWinds alerts and SolarWinds asset inventory (network devices and their various attributes). This add-on also includes a generic input that allows you to schedule any SolarWinds query and index the corresponding output in Splunk. You can then directly analyze the data or use it as a contextual data feed to correlate with other application performance-related data in the Splunk platform.

Info

This add-on is optional for the use cases covered in this workshop as the SolarWinds alerts are sent directly to the Splunk HTTP Event Collector which does not require the add-on. In real world scenarios, the add-on can provide additional context and data enrichment using the asset inventory information.

Additional Apps/Add-ons

1. Cisco Meraki Add-on for Splunk

The Splunk Add-on for Cisco Meraki provides comprehensive network observability and security monitoring across your Meraki organizations. This add-on collects rich data via Cisco Meraki REST APIs and webhooks to deliver insights into network performance, security, and device health. Sample visualizations are also provided to help explore the data and create custom dashboards.

Info

While Cisco Meraki is not covered in this workshop, there is Cisco Meraki data available in the netops index which would be collected using the Cisco Meraki Add-on for Splunk

2. Cisco Enterprise Networking for Splunk Platform

The Cisco Enterprise Networking for Splunk Platform presents visualizations in dashboards for different Cisco Products - Cisco Identity Services Engine, Cisco SD-WAN, Cisco Catalyst Center, Cisco Cyber Vision Cisco Meraki and Cisco ThousandEyes. The App uses the data collected by

  • Cisco Catalyst Add-on for Splunk
  • Cisco Catalyst Enhanced Netflow Add-on for Splunk
  • Cisco Meraki Add-on for Splunk
  • Cisco ThousandEyes App for Splunk

Cisco Enterprise Networking App Cisco Enterprise Networking App

Last Modified May 4, 2026

Import Catalyst Center Services in ITSI

2 minutes   Authors Chris Putnam, Sam Scudere-Weiss, & Tim Hard

From Device Health to Location-Based Network Visibility

Traditional network monitoring tools report on individual devices (a router is up or down, a switch is reachable or not). That level of visibility tells you what failed but not where the impact is felt or how bad it is for the business. When a distribution switch at a branch office starts degrading, your operations team shouldn’t have to manually correlate alerts across tools to figure out that an entire site is affected.

This section addresses that gap. By importing Cisco Catalyst Center topology data into ITSI using the Content Pack for Cisco Enterprise Networks, you create a location-aware service model that aggregates device health up to the site level. Instead of watching 50 individual device alerts, you see a single service health score per site, giving your team an immediate answer to the question: which sites are having problems right now?

Why the Content Pack Matters

The Content Pack for Cisco Enterprise Networks (available through the Splunk App for Content Packs) is the key enabler here. Rather than manually building services and KPIs from scratch, the content pack uses topology data already collected by the Cisco Catalyst Add-on for Splunk to automatically discover and import your Catalyst Center sites as ITSI services. Each site becomes a service, and each service gets a set of pre-built KPIs that reflect the health of every network layer within that site.

The import workflow reads your Cisco Catalyst Center site hierarchy and creates one ITSI service per site. ITSI then runs entity discovery searches to associate the right devices (entities) with each service automatically. No manual mapping required!

Import Catalyst Center Services Import Catalyst Center Services

The Catalyst Center Site Service Template

At the heart of this integration is the Catalyst Center Site Service Template. When services are imported, this template is applied to each site and provides six out-of-the-box KPIs, each tracking a different layer of the network stack at that location:

KPIWhat It Measures
Access LayerAverage HealthScore of Access Layer devices
Access PointsAverage HealthScore of Access Point devices
Core LayerAverage HealthScore of Core Layer devices
Distribution LayerAverage HealthScore of Distribution Layer devices
Router HealthAverage HealthScore of Routers
Wireless Controller HealthAverage HealthScore of Wireless Controllers

These KPIs are sourced directly from the Cisco Catalyst Center HealthScore, a 1-10 score that Catalyst Center assigns to each device based on onboarding, connectivity, and radio frequency health. By averaging these scores per network layer, ITSI can pinpoint exactly which part of the stack is dragging down a site’s overall health. The result is that the jump from “Site X is degraded” to “the Access Layer at Site X is the problem” becomes a matter of seconds.

What You’ll Do in This Section

By the end of this section you will have:

  • Installed the Content Pack for Cisco Enterprise Networks and imported Catalyst Center sites as ITSI services
  • Validated that the Catalyst Center Site KPIs are populating correctly with real network health data
Last Modified May 4, 2026

Subsections of 2. Import Catalyst Center Services in ITSI

Install the Cisco Enterprise Networks Content Pack

5 minutes   Authors Chris Putnam, Sam Scudere-Weiss, & Tim Hard
In this section you will install the Cisco Enterprise Networks Content Pack which provides pre-built services, KPIs, and data integrations for Cisco network infrastructure.
Exercise: Install the Cisco Enterprise Networks Content Pack

1. In ITSI Navigate to Configuration -> Data Integrations

2. Select Content Library in the tabs under Data Integrations

Info
Here you can see all of the available Out of the box Integrations that are available in the Splunk App for Content Packs

Data Integrations Data Integrations

3. Select the Content Pack for Cisco Enterprise Networks, and click Proceed

Info
This page gives you an overview of what's available in the content pack

Content Pack for Cisco Enterprise Networks Content Pack for Cisco Enterprise Networks

5. Make sure Add all 14 objects is enabled

6. Enable the Import As Enabled toggle

IMPORTANT: Do not enter a prefix in the Add a prefix to your new objects section

7. Click Install Selected

Info
Make sure Add all 14 objects and Import As Enabled are both toggled on before clicking Install Selected

Install Selected Install Selected

8. Click Install.

Info
In production environments it's a best practice to take a backup before any major changes

Install Install

9. Confirm the installation is complete.

Info
The summary confirms all objects were successfully installed

Installation Complete Installation Complete

Nice Job!
The Cisco Enterprise Networks Content Pack is now installed!

In the next section you see how the content pack can be used to automatically import Catalyst Center Sites as services in ITSI.

Click Configure Services and continue to the next section of the workshop.

Last Modified May 4, 2026

ITSI Service and KPI Validation

5 minutes   Authors Chris Putnam, Sam Scudere-Weiss, & Tim Hard
With ITSI 4.21 manual import processes are replaced by a guided workflow and pre-built data integrations. The content pack includes service import modules that discover and build the service hierarchy for Meraki and Catalyst Center automatically.
Exercise: Import Services and Configure Alerts
Tip

To get back to the Import Services page for Catalyst Center, navigate to Configuration > Data Integrations > Content Library > Cisco Enterprise Networks.

1. Under Service Import Modules, select Cisco Catalyst Center.

Info
Automatic service hierarchy imports are supported for both Catalyst Center and Meraki

Service Import Modules Service Import Modules

2. Select the Catalyst Center Host and all available services. Click Next.

Info
Select the Catalyst Center host and all available sites to import as ITSI services

Select Services Select Services

3. Select Default Service Sandbox. Click Next.

Info
Services are imported into a sandbox for review before being published to production ITSI

Default Service Sandbox Default Service Sandbox

4. Review the Services that will be imported. Click Import.

Info
Review the complete list of Catalyst Center site services that will be created before clicking Import

Review Services Review Services

5. Review the Service Sandbox. Click Publish. After the precheck completes, click Next.

Info
Review the service hierarchy in the sandbox, then publish to make the services active in ITSI

Service Sandbox Service Sandbox

6. Navigate to Configuration > Service Monitoring > Service and KPI Management.

7. Use the Select All check box to select all of your services

8. With all services selected click Bulk Action > Enable.

Info
Use Bulk Action to enable all imported services at once from the Service and KPI Management page

Service and KPI Management Service and KPI Management

9. Click Enable. After a few minutes the KPIs will populate.

Info
Confirm the enable action. KPIs will begin calculating within a few minutes

Enable KPIs Enable KPIs

Nice Job!
You just imported all of the Catalyst Center services without having to create any CSVs, lookups, write any SPL, or manually configure the service dependencies. Pretty neat, huh?

Continue to the next section to validate your configuration is working correctly.

Last Modified May 4, 2026

Validate the Configuration

2 minutes   Authors Chris Putnam, Sam Scudere-Weiss, & Tim Hard
Confirm that the imported services and KPIs are calculating correctly, and that the alert pipeline from Catalyst Center is active before moving on.
Exercise: Validate the Configuration

1. Navigate to the Service Analyzer > Default Service Analyzer.

You should see the services you imported and the KPIs that are part of the Catalyst Center Site Service Template.

It may take a few minutes for your services and KPIs to show a health status.

Info
The Service Analyzer shows the imported Catalyst Center site services and their current health status

ITSI Service Analyzer ITSI Service Analyzer

2. Click Tree to switch to the Service Tree view

3. Click one of the Store services in the service tree to view the KPIs associated with the Catalyst Center Site

Info
Clicking a service reveals its individual KPIs and their current health scores per network layer

Service KPIs Service KPIs

Congrats!
Your Catalyst Center services are live in ITSI!

In the next section you’ll configure the Inbound Notification Service which will automatically create notable events in ITSI when a Catalyst Center Issue occurs indicating degraded network performance.

Last Modified May 4, 2026

Configure Catalyst Center Notifications

2 minutes   Authors Chris Putnam, Sam Scudere-Weiss, & Tim Hard

Bringing Catalyst Center Alerts into ITSI

With your Catalyst Center services and KPIs now live in ITSI, the next step is configuring inbound notifications so that Issues and Events generated by Catalyst Center directly into ITSI episodes. This creates the feedback loop that makes location-based monitoring actionable. A site’s KPI health score degrades, Catalyst Center raises an Issue, and that Issue surfaces in ITSI as a notable event tied to the affected site service.

The Cisco Catalyst Add-on for Splunk handles data ingestion, but alert normalization requires configuring an inbound notification connection within ITSI. The Content Pack for Cisco Enterprise Networks includes a pre-built alert data integration template for Catalyst Center that maps the relevant fields automatically, so setup is straightforward.

Note: In this section you will configure a custom version of the Catalyst Center inbound notification connection in ITSI, enabling Issues from Catalyst Center to appear as normalized notable events on the Episode Review page.

Catalyst Center Notification Configuration Catalyst Center Notification Configuration

What You’ll Do in This Section

By the end of this section you will have:

  • Configured a custom inbound notification connection for Cisco Catalyst Center alerts in ITSI
  • Mapped the alert fields required to associate events with the correct site service
Last Modified May 4, 2026

Subsections of 3. Configure Catalyst Center Notifications

Setup Cisco Catalyst Inbound Notifications

5 minutes   Authors Chris Putnam, Sam Scudere-Weiss, & Tim Hard
ITSI 4.21 includes native data integrations for Cisco Meraki and Catalyst Center alerts. The recommended method is to activate the default connections, which are pre-configured with the required settings to normalize alerts. The default configuration can be customized to meet your customers specific use cases. In this section you'll customize the alert so that you can correlate events across locations as well as update the status mapping so that episodes can automatically resolve when the service health returns to normal.
Exercise: Configure Alert Integrations

1. In ITSI, navigate to Configuration > Data Integrations.

Info
The Alerts section of the Data Integrations library contains the pre-built connections for Catalyst Center and Meraki

Data Integrations Data Integrations

2. Under the Alerts section of the library, select Cisco Catalyst Center.

3. Click + Add Connection.

Info
Adding a custom connection lets you control the search, field mappings, and throttling behavior independently from the default

Add Connection Add Connection

4. Enter Catalyst Center Alerts for the name. Use the following search:

index=netops sourcetype="cisco:dnac:issue"  
| eval itsi_site = case( isnotnull(SiteNameHierarchy) AND SiteNameHierarchy!="", mvindex(split(SiteNameHierarchy, "/"), 3), isnotnull(DeviceName) AND DeviceName!="", "Store-" . mvindex(split(DeviceName, "-"), 0) )

Use the time picker to select Last 15 minutes

5. Set the Lookback period to 5 minutes. Click Validate

Note: If no events are found in the last 5 minutes, increase the Lookback to 60 minutes. Once your search returns results, be sure to set the Lookback period back to 5 minutes

Info
Validation confirms the search returns events and that the field mappings are correct before saving

Validate Connection Validate Connection

6. Update the Source to a Mapping rule using Coalesce for the type

7. Select DeviceName as the first field and SiteName as the second

8. Enter IssueSpecificEntityValue as the else use the default value field

Info
The Source field is used to identify the origin of the alert within ITSI episodes

Update Source Update Source

9. Update the Severity ID mapping to a Mapping rule using Value case mapping as the type

10. Set IssueStatus is equal to (not case sensitive) to resolved and then use to Normal

11. Map the following values for the remainder of the if statement:

vendor_severity is equal to (not case sensitive) to P1 and then use to Critical

vendor_severity is equal to (not case sensitive) to P2 and then use to High

vendor_severity is equal to (not case sensitive) to P3 and then use to Medium

vendor_severity is equal to (not case sensitive) to P4 and then use to Low

And finally, set else use this default value to Info

Info
Map Catalyst Center severity values to the ITSI severity scale so episodes display the correct priority

Severity ID Mapping Severity ID Mapping

12. Update the subcomponent to itsi_site

13. * Change Run every to 1 minute

14. Add NY HQ, Store-SJC10, and Store-SJC12 to the Service Association section

15. Use SiteNameHierarchy for the Entity Lookup Field

16. Turn on the Enable throttling toggle

17. Set the Suppress period to every 5 minutes

18. Click Preview Results in the upper right (Note: You may not get results in the preview. We will review the events during the Create a custom NEAP section)

19. Click Save and Activate

Info
The subcomponent field is what links each alert to its corresponding Catalyst Center site service in ITSI

Subcomponent Configuration Subcomponent Configuration

Nice Job!
Catalyst Center alerts are now flowing into ITSI as normalized notable events linked to their site service.

In the next section you’ll add SolarWinds as a second alert source so ITSI can correlate events from both vendors.

Last Modified May 4, 2026

Configure SolarWinds Notifications

5 minutes   Authors Chris Putnam, Sam Scudere-Weiss, & Tim Hard

Adding a Second Alert Source

A key goal of this workshop is demonstrating cross-vendor alert correlation. Cisco Catalyst Center covers your Cisco infrastructure, but many enterprise networks also rely on third-party monitoring tools like SolarWinds to track non-Cisco devices, WAN links, and broader network health metrics. When both sources raise alerts about the same site or time window, ITSI should be able to group them into a single episode rather than generating separate noise for each.

The SolarWinds Add-on for Splunk can provide deep asset context, but for this use case SolarWinds alerts are delivered directly to the Splunk HTTP Event Collector. The Content Pack for Cisco Enterprise Networks includes a pre-built integration template that normalizes these alerts so they are recognized by ITSI in the same way as Catalyst Center alerts.

In this section you will install the SolarWinds Content Pack and configure the inbound notification connection, completing the two-source alert pipeline that the NEAP in the next section will correlate.

What You’ll Do in This Section

By the end of this section you will have:

  • Installed the SolarWinds Content Pack and configured the inbound notification connection
  • Verified that SolarWinds alerts are flowing into ITSI as normalized notable events
Last Modified May 4, 2026

Subsections of 4. Configure SolarWinds Notifications

Install the Solarwinds Content Pack

5 minutes   Authors Chris Putnam, Sam Scudere-Weiss, & Tim Hard
In this section you will install and configure the SolarWinds Content Pack to ingest SolarWinds alerts into ITSI, completing the two-source alert pipeline needed for cross-vendor correlation.
Exercise: Install the Solarwinds Content Pack

1. Navigate to the IT Service Intelligence app.

2. Go to Configuration > Data Integrations.

3. Select the Content Library tab, find the Content Pack for Solarwinds, and click Proceed.

Info
The SolarWinds Content Pack includes pre-built field mappings and alert templates for ITSI

Content Pack for Solarwinds Content Pack for Solarwinds

4. Enter Solarwinds Alerts for the connection title.

5. Use the following SPL for the search:

index=netops sourcetype="solarwinds:alert:hec"

7. Click Validate.

8. Set the Lookback period to 5 minutes.

Info
Validation confirms the search is returning SolarWinds events before saving the connection

Validate Connection Validate Connection

9. Set Signature to title.

Info
The Signature field uniquely identifies each alert type and is used for deduplication within ITSI

Signature Signature

10. Update the Severity ID mapping to a Mapping rule using Value case mapping as the type

12. Set severity_id is equal to (not case sensitive) to 1 and then use to Normal

13. Map the following values for the remainder of the if statement:

severity_id is equal to (not case sensitive) to 2 and then use to Low

severity_id is equal to (not case sensitive) to 3 and then use to Medium

severity_id is equal to (not case sensitive) to 4 and then use to High

severity_id is equal to (not case sensitive) to 5 and then use to Critical

And finally, set else use this default value to Info

Info
Map SolarWinds severity values to the ITSI severity scale so episodes display the correct priority

Severity ID Mapping Severity ID Mapping

11. Update the subcomponent to vendor_region.

Info
The subcomponent field links each SolarWinds alert to its corresponding site, enabling cross-vendor correlation

Subcomponent Subcomponent

12. Expand additional fields and set the description to signature.

Info
Additional fields provide extra context visible when reviewing episodes in ITSI

Additional Fields Additional Fields

13. Set the Schedule to Run Every Minute.

14. Add NY HQ, Store-SJC10, and Store-SJC12 to the Service Association section

15. Turn on the Enable throttling toggle

16. Set the Suppress period to every 5 minutes

17. Click Preview Results in the upper right (Note: You may not get results in the preview. We will review the events during the Create a custom NEAP section)

18. Click Save and Activate

Info
Review the transformed fields in Preview Results before saving to confirm the mapping is correct

Save and Activate Save and Activate

Nice Job!
SolarWinds alerts are now flowing into ITSI alongside Catalyst Center events. Both sources are normalized and ready to be correlated.

In the next section you will build a custom NEAP to group alerts from both vendors into a single episode per site.

Last Modified May 4, 2026

Create a Custom NEAP

10 minutes   Authors Chris Putnam, Sam Scudere-Weiss, & Tim Hard

Correlating Alerts Across Vendors

When a network event occurs, operations teams are left manually hunting across disconnected tools to piece together what happened, where it started, and which services or users are affected. Without a common correlation layer, alert noise is high, investigation is slow, and the business impact of network incidents remains invisible until customers start calling.

The real value of ITSI is its ability to correlate related events into a single, actionable episode using a Notable Event Aggregation Policy (NEAP).

A NEAP defines the rules by which ITSI groups notable events. In this case, the goal is to group alerts from both Catalyst Center and SolarWinds that relate to the same network site into a single episode. This gives the operations team one place to investigate, one ticket to action, and one clear view of which site is affected and how many alert sources are corroborating the problem.

ITSI includes a number of pre-configured NEAPs, but for this workshop we are specifically interested in grouping alerts by location. In this section you will build a custom NEAP that correlates Catalyst Center and SolarWinds alerts by site, then validate that the policy is working correctly by reviewing service health and episode state together.

Episode Review Episode Review

What You’ll Do in This Section

By the end of this section you will have:

  • Created a custom Notable Event Aggregation Policy that groups alerts from both Catalyst Center and SolarWinds by network site
  • Configured automatic episode resolution when network health returns to normal
  • Validated that the Service Analyzer and Episode Review reflect real-time site health
Last Modified May 4, 2026

Subsections of 5. Create a Custom NEAP

ITSI Create Custom NEAP

10 minutes   Authors Chris Putnam, Sam Scudere-Weiss, & Tim Hard
Because you configured the inbound notification rules for Catalyst Center and Solarwinds in the previous step, you should soon see episodes being generated for those sources. You may notice ITSI is applying the default aggregation policy, which provides quick aggregation value by grouping alerts by source. However, for this dataset we want episodes grouped by location. This enables correlation between Catalyst Center and SolarWinds alerts, a differentiating feature of ITSI event management.
Exercise: Create a Custom NEAP

1. Navigate to Alerts and Episodes. Review any recently created episodes. Notice that they are using the Default Aggregation Policy to group the alerts. As the break scenario in this environment is on a 30 minute cycle (15 minutes healthy, 15 minutes unhealthy), it may take up to 15 minutes before you see episodes.

Info
The Alerts and Episodes view shows all current notable events and the episodes they have been grouped into

Alerts and Episodes Alerts and Episodes

2. Navigate to Configuration > Event Management > Notable Event Aggregation Policies.

3. Click Create Notable Event Aggregation Policy in the upper right corner.

Info
ITSI includes several built-in policies. You will create a new one specifically for grouping network site alerts from multiple vendors

Create NEAP Create NEAP

4. In the Filtering Criteria and Instructions add orig_sourcetype matches cisco:dnac:issue.

5. Click Add Rule (OR) and enter orig_sourcetype matches solarwinds:alert:hec.

6. In the Group alerts episodes based on… replace host with subcomponent.

7. Replace the default Break Episode stanza with If the flow of events into the episode is paused for and use 600 seconds.

Info

When the breaking criteria are met, the current episode can no longer have any events added to it and a new episode starts with the next notable event. For example: Break episode if the following event occurs: message matches status Normal. This rule breaks an episode once it receives a normal notable event, indicating the problem is resolved.

Info
Filtering criteria define which alert sources this policy applies to, and the grouping field determines how episodes are formed

Filtering Criteria Filtering Criteria

Info

Event iQ in IT Service Intelligence (ITSI) uses machine learning algorithms to compare field values and correlate notable events into episodes. Instead of defining manual attributes to correlate events, you can automatically identify the correct attributes to use in your grouping policies. After you onboard alerts to ITSI, you can set criteria to filter alerts, and use Event iQ to create your event correlation policies based on an analysis of historical event data.

Using Event iQ in your workflow helps you quickly set up automated alert monitoring, reduce alert noise, and execute event actions. Additionally, algorithms can be continuously tuned to fit your environment’s alerting needs.

8. Expand Episode Information.

  • Set Episode Title to Static Value and enter Network Issue Impacting: %subcomponent%
  • Set Episode Severity to Same as the highest Severity
  • Click Next in the upper right
Info
Using %subcomponent% in the episode title automatically populates the affected site name in every episode created by this policy

Episode Information Episode Information

9. Configure the Action Rules.

Info

Set up action rules within an aggregation policy to take automated actions when an episode’s activation criteria are met. Action rules are optional and you can define more than one per aggregation policy.

  • Add rule: If all event severities are choose Normal from the dropdown and enter 60 seconds
  • Then Change severity to choose Normal from the dropdown and select Change status to > Resolved
  • Click Next
Info
Action rules enable automatic episode resolution when all contributing alerts return to normal, reducing manual triage

Action Rules Action Rules

10. Enter Network Events by Location for the Policy Title. Click Enabled for the Status. Click Next.

Info
Enable the policy immediately so it begins grouping incoming alerts as soon as it is saved

Policy Title Policy Title

Nice Job!
Your custom NEAP is now active. Catalyst Center and SolarWinds alerts that share the same site will be grouped into a single episode titled with the affected location.

Continue to the next section to validate the full end-to-end configuration.

Last Modified May 4, 2026

ITSI Service and KPI Review

5 minutes   Authors Chris Putnam, Sam Scudere-Weiss, & Tim Hard
In this section you will review the services and episodes created by the content packs and alert integrations configured in the previous steps, confirming the full end-to-end pipeline is working correctly.
Exercise: Review Services and Episodes
Info

Service Insights in IT Service Intelligence (ITSI) represents the mapping and monitoring of business and technical services within your organization. Within ITSI, a service is a set of interconnected applications and hosts configured to offer a specific service to the organization. ITSI Service Insights helps you map these service dependencies based on a connection between devices and applications, so you can immediately see the impact of a problematic object on the rest of the service operation.

1. Navigate to the ITSI Service Analyzer > Default Service Analyzer. You should see the services you imported

2. Edit the Analyzer name to Network Health by Location

Info
The Tree view shows the full service hierarchy with each Catalyst Center site and its underlying KPI health

Service Analyzer Tree View Service Analyzer Tree View

3. Click Tree on the right side

4. Add United States to Filter Services

5. Set the timeframe to Last 1 hour and Auto Refresh to 1 minute

Info
Filtering by United States and setting Auto Refresh gives you a live view of site health across all locations

Episode Review Episode Review

6. Click Save. The view should be identical to the graphic below

7. Click Alerts and Episodes

8. Select the most recently created episode

9. In the Episode details confirm that the Aggregation Policy used was the NEAP you created in the previous step

Info
Episodes created by the custom NEAP group Catalyst Center and SolarWinds alerts together under a single site-named episode

Alerts and Episodes Alerts and Episodes

Nice Job!
The full pipeline is confirmed. Services and their dependencies are configured, KPIs are calculating, and the custom NEAP is grouping cross-vendor alerts by site.

Continue to the next section to walkthrough this scenario.

Last Modified May 4, 2026

Scenario Review

10 minutes   Authors Chris Putnam, Sam Scudere-Weiss, & Tim Hard

Scenario: Network Issue at a Retail Store

Our scenario involves an organization that has campus, branch, and store locations. When a networking issue occurs, the Operations team needs to quickly understand exactly which sites are impacted and which components of the network are unhealthy. This scenario walkthrough shows how ITSI uses device health data from Cisco Catalyst Center and correlates it with alerts from other tools (in this case, Solarwinds) to provide a complete picture of the issue in minutes.

In real environments, organizations typically have many different tools monitoring the same systems. When an issue occurs they all start triggering alerts and alarms. This creates alert storms, making it very difficult to understand where to start troubleshooting. The result is significant delays in issue resolution and alert fatigue across the operations team.

ITSI addresses this challenge by understanding network health by site and network layer, and by providing highly actionable episodes that correlate alerts across any number of different monitoring solutions. Instead of pivoting between consoles, your team gets a single view of what is happening, where it is happening, and which alerts from which tools are related.

Scenario Flow: Root Cause Analysis with Catalyst Center

Scenario Review

1. Open the Service Analyzer in ITSI. Notice that the Access Points KPI is showing a degraded health status

Info
The Service Analyzer provides a high-level view of all imported Catalyst Center site services and their current health

Service Analyzer Service Analyzer

2. Select Tree on the right to view the Service Tree

3. Select the Store-SJC12 service to expand its KPIs. Notice that the Access Points KPI is unhealthy, which indicates there is a wireless issue at this location

4. Select the Access Points KPI to drill into the entity details. You should see that this issue is impacting Floor-1 at this location

Info
Selecting a service reveals its individual KPIs. The Access Points KPI health score shows a degraded state

Store-SJC12 Access Points KPI Store-SJC12 Access Points KPI

Bonus

Drill down into the entity using the Site Health Summary link to see the health of the wireless access points at this store in more detail. This dashboard provides a granular view of individual device health scores sourced directly from Catalyst Center.

The Site Health Summary dashboard shows individual access point health scores for the selected location

Site Health Summary Site Health Summary

5. Check the Episode Review section located below the KPI health details. If there are any High or Critical episodes currently open for this site, they will appear here.

Info

This scenario starts at a Medium severity and escalates to High as additional alerts are generated. Depending on where you are in the 30-minute break cycle, there may not be any episodes in this list yet. If you don’t see any, continue to the next step and check the full Alerts and Episodes view.

If no episodes are currently High or Critical, navigate to Alerts and Episodes to review the full list of episodes. Depending on how long the scenario has been running, you may see previously resolved episodes for this site. This demonstrates how ITSI can automatically close open episodes and set their status to Resolved when the underlying issue clears

6. If there is an ongoing episode, select it. If not, select one of the recently resolved episodes to review

7. Review the impacted services and KPIs in the episode detail. This view shows exactly which services and KPIs were affected during this episode.

Info
The episode detail ties the alerts back to the affected services and KPIs, giving you a complete picture of the business impact

Episode Review under KPI Episode Review under KPI

8. Select the Events Timeline tab to review the order in which the events occurred

9. From the Sort dropdown, select Root cause analysis to reorder the events chronologically

Info
The Events Timeline sorted by Root Cause Analysis reveals the order in which alerts fired, showing the progression from initial fault to cascading impact

Episode Detail Episode Detail

10. Review the individual alerts by selecting them from the list. Notice that this episode includes alerts from both Solarwinds and Catalyst Center. This is because the episode is using the Network Events by Location NEAP you created in the previous section, which groups all alerts for a given site regardless of their source

Info
Cross-vendor alert correlation in a single episode. Both Catalyst Center and Solarwinds alerts are grouped together by location

Alert Detail Alert Detail

You are now able to see alerts in context, understand when they occurred, and track severity changes as the situation evolves. When a clearing event is received from either Catalyst Center or Solarwinds, the alert severity will automatically change to Normal. The action rule you configured in the NEAP will then automatically resolve the episode once all contributing alerts have returned to normal, closing the loop without any manual intervention.

Workshop Complete!

Why This Matters

Throughout this workshop you configured ITSI to provide location-based network visibility using Catalyst Center topology data, ingested and normalized alerts from two independent monitoring tools, and built a custom aggregation policy that correlates those alerts into a single actionable episode per site.

The result is a system that eliminates tool-swivel, reduces alert noise, and gives operations teams an immediate answer to three critical questions: Where is the problem? What is affected? Is it getting better or worse?

By automating episode creation and resolution, ITSI reduces mean time to resolution and ensures that your team spends their time investigating real issues instead of chasing duplicate alerts across disconnected consoles.

Happy Splunking!

Dancing Buttercup Dancing Buttercup