All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

SCOM Add‑On questions: duplicate events and ITSI enrichment

Kaitsu
Explorer
3 weeks ago

Hi all,

Rookie Splunk question here 🙂
In my previous life I worked mostly with Tivoli, so this Splunk world is still pretty new to me and I’m trying to understand the best practices.

I have installed the Splunk Add‑on for Microsoft SCOM and I’m receiving SCOM data into a dedicated SCOM index. I can also see the events on the ITSI side, so the integration itself seems to be working fine.

I have a couple of questions:

1) Duplicate events from two Heavy Forwarders

I currently have two Windows Heavy Forwarders, both configured with HEC and the SCOM Add‑On.
Now all SCOM events appear to be duplicated, as they are coming in through both HEC endpoints.

  • Is this expected behavior?
  • Is this considered a feature (for HA), or am I doing something wrong?
  • What is the best practice here: active/passive HF, SCOM Add‑On only on one HF, or some other recommendation?

2) ITSI SCOM integration search – enrichment not applied to all events

I have done some event enrichment in the SCOM Integration Search in ITSI (for example: assigning responsible team, routing info, etc.).

However, it looks like not all events are enriched, and I can’t really figure out why:

  • Some events get the enrichment as expected
  • Some do not, even though they look similar

Is this the correct place to do the enrichment, or am I missing something about how the SCOM Integration Search works?

Any guidance or pointers would be greatly appreciated.

Thanks in advance!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
3 weeks ago

Hi @Kaitsu 

The duplication of events here is expected if running the SCOM inputs on multiple HF - If you need HA then I would suggest having the secondary prepared but with the modular input turned off. 

Regarding your search issue - are all the events the same sourcetype? Are you able to identify any distinction between the different hosts which do and do not get the enrichment? 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

Reply
Solved! Jump to solution

Kaitsu
Explorer
2 weeks ago
I need to look into this by turning off the modular input and then make a decision.

I will also double‑check whether these are coming from the same source. I think there may be an issue in my SPL logic—I’m just starting to learn SPL, and it’s quite a change compared to Tivoli rules syntax.




0 Karma
Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
3 weeks ago

Hi @Kaitsu 

The duplication of events here is expected if running the SCOM inputs on multiple HF - If you need HA then I would suggest having the secondary prepared but with the modular input turned off. 

Regarding your search issue - are all the events the same sourcetype? Are you able to identify any distinction between the different hosts which do and do not get the enrichment? 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...