cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
GowthamMagal
Explorer
Member since: ‎08-13-2020
‎09-10-2020
Community Statistics
Posts 3
Solutions 1
Karma Given 0
Karma Received 0
Member Since ‎08-13-2020
View All

Re: Splunk ITSI: No events in itsi_tracked_alerts

by in Splunk ITSI
‎09-07-2020 08:30 PM
‎09-07-2020 08:30 PM
The problem is now solved. This ITSI instance was set up and a restore was done from another instance. There were 2 problems with the event creation in the index itsi_tracked_alerts 1) Error messages in the internal log "Encountered exception when consuming. "'No key or prefix: token.'" 2) A pop up while accessing the notable event aggregation policy Solution: We noticed that the HTTP tokens value concerning ITSI events were empty and proceeded with the workaround suugested in https://docs.splunk.com/Documentation/ITSI/4.6.1/ReleaseNotes/Knownissues#Backup.2FRestore_and_Migration_Issues #ITSI-5578 This solved both issues and now we have all the alerts and accessing Notable Event Aggregation policy works as well.   ... View more

Re: Splunk ITSI: No events in itsi_tracked_alerts

by in Splunk ITSI
‎09-07-2020 08:23 PM
‎09-07-2020 08:23 PM
Hello @esnyder_splunk  Yes, this work around is performed. But this did not solve the problem. We happened to find the solution Just now. I will post the solution in the next post. Thank you   ... View more

Splunk ITSI: No events in itsi_tracked_alerts

by in Splunk ITSI
‎09-06-2020 08:09 PM
‎09-06-2020 08:09 PM
Hi Splunk Gurus, We have a splunk ITSI search head with version 4.4.3 build 14 running on Splunk version 7.2.10 I have created correlation searches.  Some of which run every minute. Event though the splunk correlation searches run as required, we have noticed that there are no events in the index itsi_tracked_alerts  created even though the alert conditions are met.   in ITSI Health check dashboard, I see this error in the internal log: "2020-09-07 04:52:04,796 ERROR [itsi.notable_event_actions_queue_consumer] [__init__] [exception] [121502] Encountered exception when consuming. "'No key or prefix: token.'". Traceback (most recent call last): File "/opt/splunk/etc/apps/SA-ITOA/bin/itsi_notable_event_actions_queue_consumer.py", line 109, in do_run action_dispatch_config=action_dispatch_config File "/opt/splunk/etc/apps/SA-ITOA/lib/itsi/event_management/itsi_notable_event_queue_consumer.py", line 130, in __init__ self.auditor = Audit(self.session_key, audit_token_name=audit_token_name) File "/opt/splunk/etc/apps/SA-ITOA/lib/ITOA/event_management/notable_event_utils.py", line 553, in __init__ self.audit = PushEventManager(self.session_key, audit_token_name) File "/opt/splunk/etc/apps/SA-ITOA/lib/ITOA/event_management/push_event_manager.py", line 111, in __init__ hec_token=hec_token) File "/opt/splunk/etc/apps/SA-ITOA/lib/SA_ITOA_app_common/solnlib/modular_input/event_writer.py", line 209, in __init__ hec_input_name, session_key, scheme, host, port, **context) File "/opt/splunk/etc/apps/SA-ITOA/lib/SA_ITOA_app_common/solnlib/utils.py", line 159, in wrapper return func(*args, **kwargs) File "/opt/splunk/etc/apps/SA-ITOA/lib/SA_ITOA_app_common/solnlib/modular_input/event_writer.py", line 329, in _get_hec_config return settings['port'], hec_input['token'] File "/opt/splunk/etc/apps/SA-ITOA/lib/SA_ITOA_app_common/solnlib/packages/splunklib/data.py", line 253, in __getitem__ raise KeyError("No key or prefix: %s" % key) KeyError: 'No key or prefix: token.'"   And "2020-09-07 04:52:02,514 ERROR [itsi.custom_alert.itsi_generator] [__init__] [exception] [121099] Failed to validate arguments. Please make sure arguments are correct Traceback (most recent call last): File "/opt/splunk/etc/apps/SA-ITOA/bin/itsi_event_generator.py", line 57, in <module> modular_alert = ItsiSendAlert(sys.stdin.read()) File "/opt/splunk/etc/apps/SA-ITOA/bin/itsi_event_generator.py", line 33, in __init__ super(ItsiSendAlert, self).__init__(settings, is_validate) File "/opt/splunk/etc/apps/SA-ITOA/lib/ITOA/event_management/base_event_generation.py", line 178, in __init__ raise ValueError(_('Failed to validate arguments. Please make sure arguments are correct')) ValueError: Failed to validate arguments. Please make sure arguments are correct" I hope someone has faced this error and help me solve it. I have spent about 3 days looking the possible errors and going through internet resources to help me troubleshoot this   ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎09-10-2020 12:12 AM