https://community.splunk.com/t5/Splunk-ITSI/Splunk-ITSI-No-events-in-itsi-tracked-alerts/m-p/518326#M2159 <P>The problem is now solved.</P><P>This ITSI instance was set up and a restore was done from another instance. There were 2 problems with the event creation in the index <SPAN class="lia-link-navigation child-thread lia-link-disabled">itsi_tracked_alerts</SPAN></P><P>1) Error messages in the internal log "Encountered exception when consuming. "'No key or prefix: token.'"</P><P>2) A pop up while accessing the notable event aggregation policy</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 492px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10698i16BA0D8ADDEA1B0E/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P><P>Solution:</P><P>We noticed that the HTTP tokens value concerning ITSI events were empty and proceeded with the workaround suugested in</P><P><A href="https://docs.splunk.com/Documentation/ITSI/4.6.1/ReleaseNotes/Knownissues#Backup.2FRestore_and_Migration_Issues" target="_blank">https://docs.splunk.com/Documentation/ITSI/4.6.1/ReleaseNotes/Knownissues#Backup.2FRestore_and_Migration_Issues</A> #ITSI-5578</P><P>This solved both issues and now we have all the alerts and accessing Notable Event Aggregation policy works as well.</P><P>&nbsp;</P> Tue, 08 Sep 2020 03:30:40 GMT GowthamMagal 2020-09-08T03:30:40Z https://community.splunk.com/t5/Splunk-ITSI/Splunk-ITSI-No-events-in-itsi-tracked-alerts/m-p/518138#M2156 <P>Hi Splunk Gurus,</P><P>We have a splunk ITSI search head with version<STRONG> 4.4.3</STRONG> build 14 running on Splunk version <STRONG>7.2.10</STRONG></P><P>I have created correlation searches.&nbsp; Some of which run every minute. Event though the splunk correlation searches run as required, we have noticed that there are no events in the index itsi_tracked_alerts&nbsp; created even though the alert conditions are met.</P><P>&nbsp;</P><P>in ITSI Health check dashboard, I see this error in the internal log:</P><P>"2020-09-07 04:52:04,796 ERROR [itsi.notable_event_actions_queue_consumer] [__init__] [exception] [121502] Encountered exception when consuming. "'No key or prefix: token.'".<BR />Traceback (most recent call last):<BR />File "/opt/splunk/etc/apps/SA-ITOA/bin/itsi_notable_event_actions_queue_consumer.py", line 109, in do_run<BR />action_dispatch_config=action_dispatch_config<BR />File "/opt/splunk/etc/apps/SA-ITOA/lib/itsi/event_management/itsi_notable_event_queue_consumer.py", line 130, in __init__<BR />self.auditor = Audit(self.session_key, audit_token_name=audit_token_name)<BR />File "/opt/splunk/etc/apps/SA-ITOA/lib/ITOA/event_management/notable_event_utils.py", line 553, in __init__<BR />self.audit = PushEventManager(self.session_key, audit_token_name)<BR />File "/opt/splunk/etc/apps/SA-ITOA/lib/ITOA/event_management/push_event_manager.py", line 111, in __init__<BR />hec_token=hec_token)<BR />File "/opt/splunk/etc/apps/SA-ITOA/lib/SA_ITOA_app_common/solnlib/modular_input/event_writer.py", line 209, in __init__<BR />hec_input_name, session_key, scheme, host, port, **context)<BR />File "/opt/splunk/etc/apps/SA-ITOA/lib/SA_ITOA_app_common/solnlib/utils.py", line 159, in wrapper<BR />return func(*args, **kwargs)<BR />File "/opt/splunk/etc/apps/SA-ITOA/lib/SA_ITOA_app_common/solnlib/modular_input/event_writer.py", line 329, in _get_hec_config<BR />return settings['port'], hec_input['token']<BR />File "/opt/splunk/etc/apps/SA-ITOA/lib/SA_ITOA_app_common/solnlib/packages/splunklib/data.py", line 253, in __getitem__<BR />raise KeyError("No key or prefix: %s" % key)<BR />KeyError: 'No key or prefix: token.'"</P><P>&nbsp;</P><P>And</P><P>"2020-09-07 04:52:02,514 ERROR [itsi.custom_alert.itsi_generator] [__init__] [exception] [121099] Failed to validate arguments. Please make sure arguments are correct<BR />Traceback (most recent call last):<BR />File "/opt/splunk/etc/apps/SA-ITOA/bin/itsi_event_generator.py", line 57, in &lt;module&gt;<BR />modular_alert = ItsiSendAlert(sys.stdin.read())<BR />File "/opt/splunk/etc/apps/SA-ITOA/bin/itsi_event_generator.py", line 33, in __init__<BR />super(ItsiSendAlert, self).__init__(settings, is_validate)<BR />File "/opt/splunk/etc/apps/SA-ITOA/lib/ITOA/event_management/base_event_generation.py", line 178, in __init__<BR />raise ValueError(_('Failed to validate arguments. Please make sure arguments are correct'))<BR />ValueError: Failed to validate arguments. Please make sure arguments are correct"</P><P>I hope someone has faced this error and help me solve it. I have spent about 3 days looking the possible errors and going through internet resources to help me troubleshoot this</P><P>&nbsp;</P> Mon, 07 Sep 2020 03:09:19 GMT https://community.splunk.com/t5/Splunk-ITSI/Splunk-ITSI-No-events-in-itsi-tracked-alerts/m-p/518138#M2156 GowthamMagal 2020-09-07T03:09:19Z https://community.splunk.com/t5/Splunk-ITSI/Splunk-ITSI-No-events-in-itsi-tracked-alerts/m-p/518320#M2157 <P>Did you perform the workaround in&nbsp;<A href="https://docs.splunk.com/Documentation/ITSI/4.4.3/ReleaseNotes/Knownissues#Splunk_platform_issues_that_impact_ITSI_compatibility" target="_blank">https://docs.splunk.com/Documentation/ITSI/4.4.3/ReleaseNotes/Knownissues#Splunk_platform_issues_that_impact_ITSI_compatibility</A>&nbsp;?</P> Tue, 08 Sep 2020 02:30:00 GMT https://community.splunk.com/t5/Splunk-ITSI/Splunk-ITSI-No-events-in-itsi-tracked-alerts/m-p/518320#M2157 esnyder_splunk 2020-09-08T02:30:00Z https://community.splunk.com/t5/Splunk-ITSI/Splunk-ITSI-No-events-in-itsi-tracked-alerts/m-p/518324#M2158 <P>Hello <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/111324">@esnyder_splunk</a>&nbsp;</P><P>Yes, this work around is performed. But this did not solve the problem.</P><P>We happened to find the solution Just now. I will post the solution in the next post. Thank you</P><P>&nbsp;</P> Tue, 08 Sep 2020 03:23:02 GMT https://community.splunk.com/t5/Splunk-ITSI/Splunk-ITSI-No-events-in-itsi-tracked-alerts/m-p/518324#M2158 GowthamMagal 2020-09-08T03:23:02Z https://community.splunk.com/t5/Splunk-ITSI/Splunk-ITSI-No-events-in-itsi-tracked-alerts/m-p/518326#M2159 <P>The problem is now solved.</P><P>This ITSI instance was set up and a restore was done from another instance. There were 2 problems with the event creation in the index <SPAN class="lia-link-navigation child-thread lia-link-disabled">itsi_tracked_alerts</SPAN></P><P>1) Error messages in the internal log "Encountered exception when consuming. "'No key or prefix: token.'"</P><P>2) A pop up while accessing the notable event aggregation policy</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 492px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10698i16BA0D8ADDEA1B0E/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P><P>Solution:</P><P>We noticed that the HTTP tokens value concerning ITSI events were empty and proceeded with the workaround suugested in</P><P><A href="https://docs.splunk.com/Documentation/ITSI/4.6.1/ReleaseNotes/Knownissues#Backup.2FRestore_and_Migration_Issues" target="_blank">https://docs.splunk.com/Documentation/ITSI/4.6.1/ReleaseNotes/Knownissues#Backup.2FRestore_and_Migration_Issues</A> #ITSI-5578</P><P>This solved both issues and now we have all the alerts and accessing Notable Event Aggregation policy works as well.</P><P>&nbsp;</P> Tue, 08 Sep 2020 03:30:40 GMT https://community.splunk.com/t5/Splunk-ITSI/Splunk-ITSI-No-events-in-itsi-tracked-alerts/m-p/518326#M2159 GowthamMagal 2020-09-08T03:30:40Z