Update on this - 4.7.0 release makes the beta framework the official framework, so the banners are gone! https://docs.splunk.com/Documentation/ITSI/4.7.0/ReleaseNotes/Newfeatures#Glass_table_editor I encourage upgrading if possible.  ... View more

If you have insufficient permission you shouldn't have seen data from the time the backfill was turned on. Can you check the source index (where the raw data is coming from) for the KPI to see if you have data for the last 7 days? ... View more

Hi @Allenspach can you please try these troubleshooting steps?  https://docs.splunk.com/Documentation/ITSI/latest/EA/TroubleshootRE#Java_process_not_starting_when_the_Rules_Engine_search_is_executed ... View more

@keesling can you take a look at the following resources and see if they answer your question?  https://docs.splunk.com/Documentation/ITSI/4.6.1/EA/AboutEA https://docs.splunk.com/Documentation/ITSI/4.6.1/EA/RE CC @eduncan if you have any other knowledge to impart.  ... View more

Hi @keesling, please check back on the new features page in about a month. This feature is planned for our next release: https://docs.splunk.com/Documentation/ITSI/latest/ReleaseNotes/Newfeatures ... View more

Did you perform the workaround in https://docs.splunk.com/Documentation/ITSI/4.4.3/ReleaseNotes/Knownissues#Splunk_platform_issues_that_impact_ITSI_compatibility ? ... View more

You might consider following the troubleshooting steps here? https://docs.splunk.com/Documentation/ITSI/4.6.0/Install/Troubleshoot#Why_are_things_missing_after_I_upgrade.3F Those steps are technically for post-upgrade, but going through them might help diagnose the problem. Just a shot in the dark.  ... View more

You can't use a sub-search returning into an eval in a correlation search. As a workaround: 1. Create and save a basic correlation search with all of the information you want outside of the search. 2. As an admin user, go to Settings > Searches, reports, and alerts and open the correlation search you just created. 3. Add the sub-search you were trying to add there. This workaround is also documented in known issue ITSI-3322 in the release notes.  ... View more

Unfortunately there's no way to disable this banner. However, the beta glass table framework will be officially released very soon which means the classic framework will be deprecated and the banners will be removed.  ... View more

Unfortunately there's no way to disable this banner. However, the beta glass table framework will be officially released very soon which means the classic framework will be deprecated and the banners will be removed.  ... View more

This is a benign error. SA-ITOA doesn't expect empty data to come from SAI and thus throws an unnecessary error instead of exiting gracefully.  This issue was fixed in 4.3.0. If you don't want to upgrade, a workaround is to disable the modular input 'Splunk App for Infrastructure - Entity Migration.' ... View more

Hi Rendi, can you elaborate what you mean by "i think i will get many entities and services in it"? A content pack can't include entities because entities represent your individual infrastructure components. We can't provide those to you - you need to ingest them into ITSI yourself.  Content packs are meant to help you set up ITSI after you have your data flowing in. The docs for each content pack have specific data requirements which show you how to get the required data flowing into ITSI so you can make the content pack work.    ... View more

Hi Rendi, please see the "Data requirements for the content pack for..." pages for each content pack. For example:  Data requirements for the Content Pack for Monitoring Microsoft Windows Data requirements for the Content Pack for Monitoring Unix and Linux Data requirements for the Content Pack for Monitoring Citrix Others without complex data requirements have prerequisites such as: "Before installing this content pack, you must first install and configure the Splunk Firehose Nozzle for PCF to get your Pivotal Cloud Foundry data into Splunk." OR "To bring the metrics data for these data sources into ITSI, you must download the Splunk Add-on for VMware from Splunkbase and install it prior to installing the content pack." If any of the content pack docs are lacking the required prerequisite/data requirement information, please point them out and I can work on improving the docs. ... View more

Hi Rendi, yes this is intended. The content is supposed to be a starting point for IT infrastructure monitoring, not necessarily the entire solution. It's intended to give users an idea of how to set up their environment, how to structure dependencies, etc.  The hope is that customers will install it, and then do their own configuration of services and alerts. If you look at the post-install documentation for the content pack you'll see this elaborated on a bit more.  ... View more

Hi Patrick, I would suggest upgrading to version 4.5.0 if you can. Version 4.5.0 includes an Episode Instructions box in each aggregation policy where you can add custom instructions and other information to be displayed in episodes grouped by that policy. The instructions support Markdown so you can add clickable links.   ... View more

Hi, here are the steps to upgrading to Python 3 in all different scenarios. It includes when to upgrade ITSI, Splunk Enterprise, and the MLTK: https://docs.splunk.com/Documentation/ITSI/4.4.4/Install/Python3 ... View more

How can I find out when they are scheduled to sync? It should say on either A) services lister (for the linked services that willbe updated) or B) the service template page   How can I force a sync? Is this for if you already had a sync scheduled? If yes, unsure… may need to ask others. If you had not already scheduled it, just change schedule to Now   How can I see any sync errors? ( think I know this, but for completeness...) I beleve the lister pages should indicate if an error occurred during sync. Obviously check the logs, but I cannot remember which specific sources unfortunately   What are the common causes of service templates not syncing promptly? Conflicts or mismatch (services linked not correct somehow…), Maybe there is an issue where a restore/migration is already in effect and lasts a long time so the scheduled sync will wait until those operations are over. . May want to ask around for more    What is the expected time to wait before they sync? If it’s immediate, it should only be like 5-10s (at most) before you start to see “Sync in progress”. For time of total sync, depends on env, number of services, etc  ... View more

Hi Devon, sorry for never getting back to you. I didn't see your follow-up. The sandbox was removed in the middle of 2018 I believe. ... View more

This KPI should be removed from the base search. I suggest filing a support ticket. ... View more

Configuration: - KPI object in the service object - A collection in SA-ITSI-MetricAD - Savedsearches.conf in SA-ITSI-MetricAD Computational Middle Work: - there is an index for it called anomaly or something defined in SA-ITSI-MetricAD Final resultant Anomaly: - it's a notable event like any other, so tracked alerts index and then the episodes index ... View more

Hi Satya, this documentation might help to answer your second question: https://docs.splunk.com/Documentation/ITSI/latest/Configure/Enableanomalydetection ... View more

Note that 8.0 is the Python 3 release of Splunk. Whether you want to use Python 2 or 3, the order of operations and the appropriate versions of apps and add-ons are more rigid than usual. Full instructions for all upgrade scenarios with ITSI are covered here: Python 3 migration with ITSI. Note the following: - ITSI version 4.4.x is completely Python 2/3 compatible. - Splunk Enterprise Security version 6.0 is compatible with Splunk Enterprise version 8.0, though it currently requires the Python 2 interpreter that ships with Splunk Enterprise 8.0. Your upgrade path depends on whether or not you want to use Python 2 or Python 3. Regardless, because of the Python 3 migration changes, you MUST upgrade ITSI before you upgrade Splunk Enterprise, or else ITSI breaks. Note: ITSI 4.4.x is the only version that's compatible with Splunk Enterprise version 8.0.x. See the Splunk products version compatibility matrix for more information. A more complete manual for Python 3 migration with all premium apps (including ITSI and ES) is available in the Splunk Enterprise Python 3 Migration manual: https://docs.splunk.com/Documentation/Splunk/latest/Python3Migration/AboutMigration ... View more

I would suggest upgrading the glass table to the beta framework and trying it there. The classic framework will be phased out in the next major release. https://docs.splunk.com/Documentation/ITSI/latest/User/BetaFramework ... View more