Activity Feed
- Posted Re: Disable Info Circle in ITSI on Splunk ITSI. 01-01-2021 09:58 AM
- Posted Re: backfill itsi - insufficient data in ITSI summary index on Splunk ITSI. 11-17-2020 02:42 PM
- Karma Re: Getting error creating a new notable event aggregation policy for Allenspach. 11-12-2020 08:02 AM
- Posted Re: Getting error creating a new notable event aggregation policy on Splunk ITSI. 11-11-2020 09:13 AM
- Karma Re: What is the difference between a single pane of glass and a glass table ?? for bowesmana. 10-14-2020 08:30 PM
- Posted Re: What's the step between correlation searches and episode reviews? on Splunk ITSI. 10-07-2020 09:17 AM
- Posted Re: ITSI episode review filters on Splunk ITSI. 09-29-2020 07:56 AM
- Got Karma for Re: ITSI Glass Table Custom URL Drilldown. 09-21-2020 07:12 AM
- Posted Re: Splunk ITSI: No events in itsi_tracked_alerts on Splunk ITSI. 09-07-2020 07:30 PM
- Karma Re: Failed ITSI restore from backup... for eduncan. 08-28-2020 10:06 AM
- Posted Re: ITSI Service Analyzer doesn't show anything on Splunk ITSI. 08-26-2020 04:31 PM
- Got Karma for Re: ITSI [ITOA Validation Error] ?. 08-17-2020 01:26 AM
- Karma Re: Splunk ITSI bidirectional ticketing - ServiceNow - snow_hash.csv not found for taskar. 08-13-2020 12:28 PM
- Got Karma for Re: ITSI Content Pack Questions. 08-06-2020 09:55 AM
- Posted Re: ITSI Content Pack Questions on Splunk ITSI. 08-06-2020 09:46 AM
- Posted Re: Unable to save correlation search in ITSI getting error "Invalid search string: This search cannot be parsed w on Splunk ITSI. 07-26-2020 10:41 PM
- Posted Re: How to turn off "Click here to access documentation..." pop-up at the top of Beta Glass Tables on Splunk ITSI. 07-26-2020 10:03 PM
- Posted Re: Disable Info Circle in ITSI on Splunk ITSI. 07-26-2020 10:02 PM
- Posted Re: ITSI [ITOA Validation Error] ? on Splunk ITSI. 07-25-2020 10:10 PM
- Posted Re: Not get full entities and services sample after restore a ITSI Content Pack. on Splunk ITSI. 07-25-2020 09:59 PM
Topics I've Started
No posts to display.
01-01-2021
09:58 AM
Update on this - 4.7.0 release makes the beta framework the official framework, so the banners are gone! https://docs.splunk.com/Documentation/ITSI/4.7.0/ReleaseNotes/Newfeatures#Glass_table_editor I encourage upgrading if possible.
... View more
11-17-2020
02:42 PM
If you have insufficient permission you shouldn't have seen data from the time the backfill was turned on. Can you check the source index (where the raw data is coming from) for the KPI to see if you have data for the last 7 days?
... View more
11-11-2020
09:13 AM
Hi @Allenspach can you please try these troubleshooting steps? https://docs.splunk.com/Documentation/ITSI/latest/EA/TroubleshootRE#Java_process_not_starting_when_the_Rules_Engine_search_is_executed
... View more
10-07-2020
09:17 AM
@keesling can you take a look at the following resources and see if they answer your question? https://docs.splunk.com/Documentation/ITSI/4.6.1/EA/AboutEA https://docs.splunk.com/Documentation/ITSI/4.6.1/EA/RE CC @eduncan if you have any other knowledge to impart.
... View more
09-29-2020
07:56 AM
Hi @keesling, please check back on the new features page in about a month. This feature is planned for our next release: https://docs.splunk.com/Documentation/ITSI/latest/ReleaseNotes/Newfeatures
... View more
09-07-2020
07:30 PM
Did you perform the workaround in https://docs.splunk.com/Documentation/ITSI/4.4.3/ReleaseNotes/Knownissues#Splunk_platform_issues_that_impact_ITSI_compatibility ?
... View more
08-26-2020
04:31 PM
You might consider following the troubleshooting steps here? https://docs.splunk.com/Documentation/ITSI/4.6.0/Install/Troubleshoot#Why_are_things_missing_after_I_upgrade.3F Those steps are technically for post-upgrade, but going through them might help diagnose the problem. Just a shot in the dark.
... View more
08-06-2020
09:46 AM
1 Karma
1. Not yet, but once we get the beta going and improve the functionality of the Content Library, we plan to open it up for 3rd parties to contribute. Please stand by. 2. OH NO that's an error on my part. I put that text in forgetting that those docs are already published. I removed them, but look for them to come back within the next week (hopefully) when the beta starts and I encourage you to sign up to participate. Thanks for catching my mistake!
... View more
07-26-2020
10:41 PM
You can't use a sub-search returning into an eval in a correlation search. As a workaround: 1. Create and save a basic correlation search with all of the information you want outside of the search. 2. As an admin user, go to Settings > Searches, reports, and alerts and open the correlation search you just created. 3. Add the sub-search you were trying to add there. This workaround is also documented in known issue ITSI-3322 in the release notes.
... View more
07-26-2020
10:03 PM
Unfortunately there's no way to disable this banner. However, the beta glass table framework will be officially released very soon which means the classic framework will be deprecated and the banners will be removed.
... View more
07-26-2020
10:02 PM
Unfortunately there's no way to disable this banner. However, the beta glass table framework will be officially released very soon which means the classic framework will be deprecated and the banners will be removed.
... View more
07-25-2020
10:10 PM
1 Karma
This is a benign error. SA-ITOA doesn't expect empty data to come from SAI and thus throws an unnecessary error instead of exiting gracefully. This issue was fixed in 4.3.0. If you don't want to upgrade, a workaround is to disable the modular input 'Splunk App for Infrastructure - Entity Migration.'
... View more
07-25-2020
09:59 PM
Hi Rendi, can you elaborate what you mean by "i think i will get many entities and services in it"? A content pack can't include entities because entities represent your individual infrastructure components. We can't provide those to you - you need to ingest them into ITSI yourself. Content packs are meant to help you set up ITSI after you have your data flowing in. The docs for each content pack have specific data requirements which show you how to get the required data flowing into ITSI so you can make the content pack work.
... View more
07-25-2020
09:51 PM
Hi Rendi, please see the "Data requirements for the content pack for..." pages for each content pack. For example: Data requirements for the Content Pack for Monitoring Microsoft Windows Data requirements for the Content Pack for Monitoring Unix and Linux Data requirements for the Content Pack for Monitoring Citrix Others without complex data requirements have prerequisites such as: "Before installing this content pack, you must first install and configure the Splunk Firehose Nozzle for PCF to get your Pivotal Cloud Foundry data into Splunk." OR "To bring the metrics data for these data sources into ITSI, you must download the Splunk Add-on for VMware from Splunkbase and install it prior to installing the content pack." If any of the content pack docs are lacking the required prerequisite/data requirement information, please point them out and I can work on improving the docs.
... View more
07-25-2020
09:42 PM
Hi Rendi, yes this is intended. The content is supposed to be a starting point for IT infrastructure monitoring, not necessarily the entire solution. It's intended to give users an idea of how to set up their environment, how to structure dependencies, etc. The hope is that customers will install it, and then do their own configuration of services and alerts. If you look at the post-install documentation for the content pack you'll see this elaborated on a bit more.
... View more
07-25-2020
09:29 PM
Hi Patrick, I would suggest upgrading to version 4.5.0 if you can. Version 4.5.0 includes an Episode Instructions box in each aggregation policy where you can add custom instructions and other information to be displayed in episodes grouped by that policy. The instructions support Markdown so you can add clickable links.
... View more
07-25-2020
09:21 PM
Hi, here are the steps to upgrading to Python 3 in all different scenarios. It includes when to upgrade ITSI, Splunk Enterprise, and the MLTK: https://docs.splunk.com/Documentation/ITSI/4.4.4/Install/Python3
... View more
07-09-2020
04:21 PM
How can I find out when they are scheduled to sync? It should say on either A) services lister (for the linked services that willbe updated) or B) the service template page How can I force a sync? Is this for if you already had a sync scheduled? If yes, unsure… may need to ask others. If you had not already scheduled it, just change schedule to Now How can I see any sync errors? ( think I know this, but for completeness...) I beleve the lister pages should indicate if an error occurred during sync. Obviously check the logs, but I cannot remember which specific sources unfortunately What are the common causes of service templates not syncing promptly? Conflicts or mismatch (services linked not correct somehow…), Maybe there is an issue where a restore/migration is already in effect and lasts a long time so the scheduled sync will wait until those operations are over. . May want to ask around for more What is the expected time to wait before they sync? If it’s immediate, it should only be like 5-10s (at most) before you start to see “Sync in progress”. For time of total sync, depends on env, number of services, etc
... View more
05-12-2020
12:44 PM
Hi Devon, sorry for never getting back to you. I didn't see your follow-up. The sandbox was removed in the middle of 2018 I believe.
... View more
04-16-2020
10:46 AM
,"0" if this is a normal KPI data point, "1" if it's the Max Severity event. Max severity represents the most severe KPI data point among service aggregate and all entity-level data points for a given time. Its value is random if multiple data points have the same severity. This data point exists solely for the purpose of evaluating score events. It always exists for every time, even if there's no data. There is exactly 1 event for each period of the KPI. Here's some info about aggregate (normal) vs. max severity KPI values: https://docs.splunk.com/Documentation/ITSI/latest/User/KPIvaluedisplays
The one you mentioned is the indexed field of is_service_max_severity_event. Always filter against the indexed field instead of the non-indexed version.
Summary index reference: https://docs.splunk.com/Documentation/ITSI/latest/Configure/IndexRef
... View more
04-04-2020
11:56 AM
This KPI should be removed from the base search. I suggest filing a support ticket.
... View more
02-05-2020
04:12 PM
Configuration:
- KPI object in the service object
- A collection in SA-ITSI-MetricAD
- Savedsearches.conf in SA-ITSI-MetricAD
Computational Middle Work:
- there is an index for it called anomaly or something defined in SA-ITSI-MetricAD
Final resultant Anomaly:
- it's a notable event like any other, so tracked alerts index and then the episodes index
... View more
01-30-2020
10:54 AM
Hi Satya, this documentation might help to answer your second question: https://docs.splunk.com/Documentation/ITSI/latest/Configure/Enableanomalydetection
... View more
01-14-2020
11:45 AM
Note that 8.0 is the Python 3 release of Splunk. Whether you want to use Python 2 or 3, the order of operations and the appropriate versions of apps and add-ons are more rigid than usual. Full instructions for all upgrade scenarios with ITSI are covered here: Python 3 migration with ITSI.
Note the following:
- ITSI version 4.4.x is completely Python 2/3 compatible.
- Splunk Enterprise Security version 6.0 is compatible with Splunk Enterprise version 8.0, though it currently requires the Python 2 interpreter that ships with Splunk Enterprise 8.0.
Your upgrade path depends on whether or not you want to use Python 2 or Python 3. Regardless, because of the Python 3 migration changes, you MUST upgrade ITSI before you upgrade Splunk Enterprise, or else ITSI breaks.
Note: ITSI 4.4.x is the only version that's compatible with Splunk Enterprise version 8.0.x. See the Splunk products version compatibility matrix for more information.
A more complete manual for Python 3 migration with all premium apps (including ITSI and ES) is available in the Splunk Enterprise Python 3 Migration manual: https://docs.splunk.com/Documentation/Splunk/latest/Python3Migration/AboutMigration
... View more
12-12-2019
11:59 AM
I would suggest upgrading the glass table to the beta framework and trying it there. The classic framework will be phased out in the next major release.
https://docs.splunk.com/Documentation/ITSI/latest/User/BetaFramework
... View more