The Content Pack for Windows Dashboards and Reports (DA-ITSI-CP-windows dashboards) requires the Splunk Add-on for Microsoft Windows as a prerequisite. All the mentioned event types are shipped with this add-on. The Splunk Add-on for Microsoft Windows DNS is an older app, now archived but functionality of this add-on has been incorporated in Splunk Add-on for Microsoft Windows. Therefore, installing the Splunk Add-on for Microsoft Windows on the SH will eliminate the missing event types errors from the environment. ... View more

TL;DR : you need systemd setup AND splunkd service enabled for it to kick in. ____   1) Check if you have the systemd script setup : /etc/systemd/system/Splunkd.service 2) check if the Splunkd service is enabled   systemctl status Splunkd   when it's enabled and started, you will see ● Splunkd.service - Systemd service file for Splunk, generated by 'splunk enable boot-start' Loaded: loaded (/etc/systemd/system/Splunkd.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2022-04-13 14:46:44 UTC; 4h 46min ago Main PID: 982 (splunkd) Memory: 1.0G (limit: 1.7G) CGroup: /system.slice/Splunkd.service ├─ 982 splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd ├─1756 [splunkd pid=982] splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd [process-runner] ├─2279 mongod --dbpath=/opt/splunk/var/lib/splunk/kvstore/mongo --storageEngine=mmapv1 --port=8191 --timeStampFormat=iso8601-utc --smallfiles --oplogSize... ├─2408 /opt/splunk/bin/python3.7 -O /opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/root.py --proxied=127.0.0.1,8065,8000 └─2411 /opt/splunk/bin/splunkd instrument-resource-usage -p 8089 --with-kvstore If it's disabled and not started you will see Splunkd.service - Systemd service file for Splunk, generated by 'splunk enable boot-start' Loaded: loaded (/etc/systemd/system/Splunkd.service; disabled; vendor preset: disabled) if it's disabled but was manually started you will see Splunkd.service - Systemd service file for Splunk, generated by 'splunk enable boot-start' Loaded: loaded (/etc/systemd/system/Splunkd.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2022-04-13 14:46:44 UTC; 4h 51min ago Main PID: 982 (splunkd) CGroup: /system.slice/Splunkd.service ├─ 982 splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd ├─1756 [splunkd pid=982] splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd [process-runner] ├─2279 mongod --dbpath=/opt/splunk/var/lib/splunk/kvstore/mongo --storageEngine=mmapv1 --port=8191 --timeStampFormat=iso8601-utc --smallfiles --oplogSize... ├─2408 /opt/splunk/bin/python3.7 -O /opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/root.py --proxied=127.0.0.1,8065,8000 └─2411 /opt/splunk/bin/splunkd instrument-resource-usage -p 8089 --with-kvstore if you do not see it enabled, enable it   systemctl enable Splunkd   Then it should autostart when you reboot your server. ... View more

see known bug ITSI-20605 Check the roles: are all the users impacted or are only non-admin roles impacted? Check the web_service.log in index=_internal, do you see errors like that or different views or management views.   An unknown view name "homeview" is referenced in the navigation definition for "itsi".   Check the app metadata permissions for those views. Example: in ../etc/apps/itsi/metadata/local.meta, look for the view "homeview" Check which roles have read and write permissions, If only the admin can, there it's the root cause. Compare to the default permissions in ../etc/apps/itsi/metadata/default.meta A corrupted permissions stanza will look like that, you see no roles in the brackets :     access = delete : [ ], read : [ ], write : [ ]       Resolution Clean the .../etc/apps/itsi/metadata/local.meta Removed all stanzas impacted, as they were conflicting with the definition is default.meta If the instance is a Search-head cluster, you will have to fix is on all Search Head, and restart. ... View more

Symptom:  working ITSI and a License Master upgrade to ITSI 4.9 or later, or installed a new ITSI. After the migration UI, the ITSI UI upgrades to 4.9, but most of the views are now disabled and flagged as "Premium feature", and the app is renamed "ITEsssential-Work" (ITE-W) The reason is usually that: Since ITSI 4.9, if no ITSI license is detected, the product switch to the "free version" ITE-W.   Check if the 2 ITSI apps were properly upgraded on the license master. see Install Docs the 2 apps are SA-ITSI-Licensechecker and SA-UserAccess, they should be retrieved from the ITSI installer, and be on version 4.9 and 4.9.1 (or matching the installer app version of ITSI) Then restart Splunk on the license-master to complete the app install Then wait a few minutes and retry on the ITSI search-head. (if needed restart the Search-head too)     Check if the license master has a valid non-expired ITSI license. On the license-master go to settings > licensing Check for the non-expired licenses: "Splunk IT Service Intelligence" or a trial once, they have a "zero MB volume" If you do have a license, please ask your Splunk portal admin to check on the portal for it, or reach the Splunk sales team to verify that your account has indeed a license for that product. ... View more

If you use the Graphs in the analytics UI are based on those searches   | mstats avg("kube.node.memory.allocatable") prestats=true WHERE "index"="k8s_metrics" span=10s | timechart avg("kube.node.memory.allocatable") AS Avg span=10s | fields - _span*   and     | mstats avg("kube.node.memory.working_set_bytes") prestats=true WHERE "index"="k8s_metrics" span=10s | timechart avg("kube.node.memory.working_set_bytes") AS Avg span=10s | fields - _span*     To extract them on a single search and do the calculation, you can use that method.   | mstats avg("kube.node.memory.allocatable") As alloc_MB avg("kube.node.memory.working_set_bytes") AS working_B prestat=f WHERE "index"="k8s_metrics" span=10s by node | timechart avg(eval(100*working_B/(alloc_MB*1024*1024))) AS mem_used_percent span=10s by node       Key points : need to use AS to cast the results into fields you can manipulate later. Use an EVAL in the function to do the calculation on the fly. For timecharts ensure that the span in the mstats is equal or smaller than the span in the timechart. Use a split BY the appropriate field, here by node. We also disabled the "prestat" from the mstats, otherwise the fields names  would be slightly different. ... View more