×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Kaitsu
Explorer
Member since: ‎03-26-2026
4 weeks ago
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎03-26-2026
View All

Re: SCOM Add‑On questions: duplicate events and IT...

by in All Apps and Add-ons
4 weeks ago
4 weeks ago
I need to look into this by turning off the modular input and then make a decision. I will also double‑check whether these are coming from the same source. I think there may be an issue in my SPL logic—I’m just starting to learn SPL, and it’s quite a change compared to Tivoli rules syntax. ... View more

SCOM Add‑On questions: duplicate events and ITSI e...

by in All Apps and Add-ons
‎04-15-2026 02:30 AM
‎04-15-2026 02:30 AM
Hi all, Rookie Splunk question here 🙂 In my previous life I worked mostly with Tivoli, so this Splunk world is still pretty new to me and I’m trying to understand the best practices. I have installed the Splunk Add‑on for Microsoft SCOM and I’m receiving SCOM data into a dedicated SCOM index. I can also see the events on the ITSI side, so the integration itself seems to be working fine. I have a couple of questions: 1) Duplicate events from two Heavy Forwarders I currently have two Windows Heavy Forwarders, both configured with HEC and the SCOM Add‑On. Now all SCOM events appear to be duplicated, as they are coming in through both HEC endpoints. Is this expected behavior? Is this considered a feature (for HA), or am I doing something wrong? What is the best practice here: active/passive HF, SCOM Add‑On only on one HF, or some other recommendation? 2) ITSI SCOM integration search – enrichment not applied to all events I have done some event enrichment in the SCOM Integration Search in ITSI (for example: assigning responsible team, routing info, etc.). However, it looks like not all events are enriched, and I can’t really figure out why: Some events get the enrichment as expected Some do not, even though they look similar Is this the correct place to do the enrichment, or am I missing something about how the SCOM Integration Search works? Any guidance or pointers would be greatly appreciated. Thanks in advance! ... View more
Labels

Re: ITSI Webhook Integration

by in Splunk ITSI
‎03-30-2026 10:11 PM
‎03-30-2026 10:11 PM
Thanks for the replies. I’ll will do the configuration via the Deployer. ... View more

ITSI Webhook Integration

by in Splunk ITSI
‎03-26-2026 11:27 PM
‎03-26-2026 11:27 PM
Hi everyone, I’m currently working on a new Splunk deployment, migrating from a different event management tool to Splunk 10.0.2 and ITSI 4.21.1. We are running a Search Head Cluster (SHC) with three members. As I’m still relatively new to Splunk, I wanted to check if I’ve missed a configuration step: I noticed that a Webhook (ITSI Data integrations/Integrations library/Webhooks) I configured on one member isn't visible on the other two members of the cluster. Shouldn't these configurations sync automatically across the SHC, or is there a specific step I need to take to replicate Webhook settings in ITSI? Thanks in advance for the help! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
4 weeks ago