I'm trying to build dashboard in ITSI with active alarms from Solarwinds and other monitoring tools. I'm retrieving alarms from Solar via API (solarwinds addon). One of the next step is to use aggregation policy. I've noticed that whatever i type in 'split events by field' form no episodes are created.
For example i use below fields:
include events: EvenType *
split events by field: orig_AlertActiveID (or AlertActiveID)
Also noticed that when i'm trying to use smart mode, ITSI cannot find any event, even if re-run analyze for 30 days.
How can i troubleshoot this further?
I'm not able to generate episode with or without smart mode.
I see entries in index="itsitrackedalerts"
Every minutes i see in internal logs:
02-10-2020 00:38:30.664 +0100 INFO StreamedSearch - Streamed search search starting: searchid=remoteserver01rt1581291503.609, server=server01, activesearches=3, search='rtlitsearch (index=internal itsieventgrouping) | fields keepcolorder=t "*" "bkt" "cd" "si" "host" "index" "linecount" "source" "sourcetype" "splunkserver"', remotettl=600, apiStartTime='MINTIME', apiEndTime='MINTIME', savedsearchname=""
How can i check in different way that itsieventgrouping saved search is running?
There is no itsieventgrouping in JOBS
In search there is no itsieventgrouping search as scheduled. Next Scheduled Time filed is empty.
I did test installation on Centos and problem is the same. No itsieventgrouping search as job or scheduled search.
On Linux java version: is openjdk version "1.8.0242"
OpenJDK Runtime Environment (build 1.8.0242-b08)
OpenJDK 64-Bit Server VM (build 25.242-b08, mixed mode)
On Windows even worse, in Notable Event Aggregation Policy in preview windows i have error :
Error in 'itsirulesengine' command: External search command exited unexpectedly with non-zero error code 1.
java version "1.8.0241"
Java(TM) SE Runtime Environment (build 1.8.0241-b07)
Java HotSpot(TM) Client VM (build 25.241-b07, mixed mode, sharing
C:\Program Files (x86)\Java\jre1.8.0241\