Splunk ITSI
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

ITSI Webhook Integration

Kaitsu
Explorer
‎03-26-2026 11:27 PM

Hi everyone,

I’m currently working on a new Splunk deployment, migrating from a different event management tool to Splunk 10.0.2 and ITSI 4.21.1. We are running a Search Head Cluster (SHC) with three members.

As I’m still relatively new to Splunk, I wanted to check if I’ve missed a configuration step: I noticed that a Webhook (ITSI Data integrations/Integrations library/Webhooks)
I configured on one member isn't visible on the other two members of the cluster.

Shouldn't these configurations sync automatically across the SHC, or is there a specific step I need to take to replicate Webhook settings in ITSI?

Thanks in advance for the help!





Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kknairr
Contributor
‎03-28-2026 11:29 AM

@Kaitsu Webhook integrations in ITSI do not automatically sync across Search Head Cluster members unless they are created via the deployer. What you are seeing is expected if the webhook was configured locally on one node. The correct approach is to configure integrations via the deployer, so they propagate to all SHC members.

Refer this doc:

Install IT Service Intelligence in a search head cluster environment | Splunk Cloud Platform, Splunk...

>>

If this post addressed your question, you can:

  • Give it karma to show appreciation 👍
  • Mark it as the solution if it solved your issue ✔️
  • Add a comment if you’d like more details ✏️

Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise.

>>

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Kaitsu
Explorer
‎03-30-2026 10:11 PM
Thanks for the replies. I’ll will do the configuration via the Deployer.



0 Karma
Reply
Solved! Jump to solution

kknairr
Contributor
‎03-31-2026 10:13 AM

@Kaitsu You're welcome. Let us know if you face any further issues. Thank you.

0 Karma
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎03-29-2026 02:35 PM

Hi @kknairr I dont think that is strictly true? Im sure Ive seen ITSI Webhooks from the Integrations Library which have been created in the GUI and synced themselves between members of the SHC just like many other ITSI configs?

I cant see anything in the referenced docs relating to this either, its true when first deploying ITSI to the SHC you would use the deployer (+ perhaps manual conf changes) but not sure about making UI changes directly on the captain only?

Also 'unless they are created on the cluster captain and replicated via the deployer' are two conflicting actions? 

Please could you clarify?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Solved! Jump to solution

kknairr
Contributor
‎03-30-2026 10:41 AM

@livehybrid / @PickleRick I meant pushing via deployer only. Updating in captain node also won't help in this case. Thanks for pointing it out.

0 Karma
Reply
Solved! Jump to solution
Solution

kknairr
Contributor
‎03-28-2026 11:29 AM

@Kaitsu Webhook integrations in ITSI do not automatically sync across Search Head Cluster members unless they are created via the deployer. What you are seeing is expected if the webhook was configured locally on one node. The correct approach is to configure integrations via the deployer, so they propagate to all SHC members.

Refer this doc:

Install IT Service Intelligence in a search head cluster environment | Splunk Cloud Platform, Splunk...

>>

If this post addressed your question, you can:

  • Give it karma to show appreciation 👍
  • Mark it as the solution if it solved your issue ✔️
  • Add a comment if you’d like more details ✏️

Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise.

>>

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-30-2026 01:21 AM

Cluster captaincy doesn't have anything to do with deploying apps!

A user normally doesn't even know what and where the captain is.

Anyway, normally the config is either defined as an app on the _deployer_ and pushed to the SHC members or config elements are set using REST API (which WebUI uses as well) and are then replicated using clustering mechanisms to all SHC members.

I don't think ITSI as such introduces any limitations to the normal SH clustering management operations.

So the thing you _don't_ want to do is define configuration entries _by means of directly editing config files_ on a single SHC member. Those might not be replicated to other peers and might get overwritten with settings from other peers.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...