Troubleshoot the Content Pack for ITSI Monitoring and Alerting
Follow these troubleshooting tips for the Content Pack for ITSI Monitoring and Alerting if you are experiencing errors or it is otherwise not working as you expect.
Notable Event Aggregation Policy (NEAP) isn't working as expected
Problem
The filter criteria for the below Notable Event Aggregation Policies (NEAP) isn't working as expected:
- Episodes by Alarm
- Episodes by Alert Group
- Episodes by ITSI Service
- Episodes by Src
Cause
The definition of the NEAPs use this filter criteria:
"config": {
"field": "itsi_policy_id",
"operator": "=",
"value": "<uuid>"
}
In previous versions of the content pack the uuid was hard coded. Ideally, the value for the itsi_policy_id field is the ID of the NEAP.
Solution
Follow these steps to update the value of the itsi_policy_id field to use the ID for the NEAPs:
- Log in into the Splunk instance with ITSI.
- Go to the IT Service Intelligence app.
- Go to Configuration > Notable Event Aggregation Policies.
- For each NEAP follow these steps:
- Select a NEAP, and select the Filter Criteria and Instructions tab.
- Under include the events if, replace the value in the itsi_policy_id field as per this table:
NEAP Existing itsi_policy_id New itsi_policy_id Episodes by Alarm cef5eec4-2dcc-11eb-8ffb-0671d5072164 da-itsi-cp-monitoring-alerting-episodes-by-alarm Episodes by Alert Group e3ec489a-04b1-11ea-8567-021bca2da03d da-itsi-cp-monitoring-alerting-episodes-by-alert-group Episodes by ITSI Service 48a35d46-0557-11ea-9716-021bca2da03d da-itsi-cp-monitoring-alerting-episodes-by-itsi-service Episodes by Src 76073f1c-303c-11eb-8ffe-0671d5072164 da-itsi-cp-monitoring-alerting-episodes-by-src
- Select on Preview results to preview the results for the new NEAP filter criteria.
- Select Save.
Search attempts generate error messages
Problem
Running a saved search generates one or more error messages saying "Could not load lookup," as for example Could not load lookup=LOOKUP-itsi_kpi_attributes
Cause
The Content Pack for Monitoring and Alerting depends on lookups that must be generated in your environment. Even if you are not using this Content Pack, these lookups need to exist or you'll see search error messages of the "Could not load lookup" kind.
Solution
To generate the required lookups and fix "Could not load lookup" errors, do the following:
- Open a search screen
- Run the following search:
| savedsearch CPMA-Lookups-Init
Note that it can take a couple of minutes before search errors related to the lookups disappear.
Missing service_name field
Problem
Missing service_name field for some records of itsi_summary index
Cause
The service_name field is not native to IT Service Intelligence. Earlier versions of the content pack added service_name to new records in the itsi_summary index, but as of Content Pack for ITSI Monitoring and Alerting version 2.3.0, which was released together with Splunk App for Content Packs 2.0.0, the protocol for obtaining service_name changed.
Solution
Use the following SPL command to obtain service_name for a given serviceid:
| lookup service_kpi_lookup _key AS serviceid OUTPUT title AS service_name
For more information, see Obtain service_name.
| Normalizing cheat sheets for the Content Pack for ITSI Monitoring and Alerting |
This documentation applies to the following versions of Content Pack for ITSI Monitoring and Alerting: 2.3.0
Download manual
Feedback submitted, thanks!