
Known issues in Splunk IT Service Intelligence
IT Service Intelligence (ITSI) version 4.11.3 has the following known issues and workarounds.
Adaptive Thresholding
Date filed | Issue number | Description |
---|---|---|
2022-02-10 | ITSI-21921 | Preview for aggregate thresholds takes a long time to load Workaround: From the Preferences modal, set the Time zone to the Default System Timezone. |
2021-11-05 | ITSI-19663 | Updating a KPI threshold policy within a service template causes the thresholds of all existing KPIs that use adaptive thresholds to get reset Workaround: Temporary workaround to avoid false alerts: # Put services that are linked to the service template into maintenance mode # Make KPI threshold changes within the service template and push out # Wait to make sure all services are synced # Manually run the itsi_at_search_kpi_minusXd to recreate the adaptive threshold models # Disable maintenance mode for false alerts |
Backup/Restore and Migration Issues
Date filed | Issue number | Description |
---|---|---|
2021-12-06 | ITSI-20325 | When a backup .ZIP file includes a base search with a title that is over 100 characters, the backup restore job will fail. |
2021-12-02 | ITSI-20308 | Errors found in the migration log while upgrading to 4.11.0 |
Notable Events
Date filed | Issue number | Description |
---|---|---|
2022-01-25 | ITSI-21269 | The grouping of Bidirectional Ticketing events sets the episode KV store state to faulty values |
2022-01-05 | ITSI-20978 | ServiceNow bidirectional integration resets the episode title, status, severity, and owner. Workaround:
|
2021-12-07 | ITSI-20343 | Impacted Services and KPIs do not appear in Episode Review when using Teams functionality Workaround: Create/edit Template:SA-ITOA/local/macros.conf and add the following two stanzas: {noformat}# Take in a string of team_keys in the format of '(sec_grp="itsi_team_key") OR (sec_grp="itsi_team_key")' and returns a filter of service_ids [itsi_events_compare_teams(1)] args = itsi_team_id_list definition = search (service_ids=*null*) OR (NOT service_ids=*) OR [|inputlookup itsi_services_in_team_lookup where ($itsi_team_id_list$) | rename _key as service_ids | eval service_ids="*".service_ids."*" | fields service_ids]
[itsi_groups_compare_teams(1)]
args = itsi_team_id_list
definition = search (itsi_service_ids=*null*) OR (NOT itsi_service_ids=*) OR [|inputlookup itsi_services_in_team_lookup where ($itsi_team_id_list$) | rename _key as itsi_service_ids | eval itsi_service_ids="*".itsi_service_ids."*" | fields itsi_service_ids]{noformat} |
2021-12-03 | ITSI-20314 | Episode not being marked as inactive when bulk close is used |
2021-10-20 | ITSI-19415 | On Windows server, more than 1 rules engines processes are spawned at a time. Workaround: The root cause is the splunk phased_execution_mode. Edit the limits.conf file and add the line:
|
2021-01-21 | ITSI-13167 | On Safari, there is a 10 to 15 second delay when editing a Notable Event Aggregation Policy using the ServiceNow action |
Notable Event Aggregation Policies
Date filed | Issue number | Description |
---|---|---|
2022-01-25 | ITSI-21269 | The grouping of Bidirectional Ticketing events sets the episode KV store state to faulty values |
2022-01-05 | ITSI-20978 | ServiceNow bidirectional integration resets the episode title, status, severity, and owner. Workaround:
|
2021-12-07 | ITSI-20343 | Impacted Services and KPIs do not appear in Episode Review when using Teams functionality Workaround: Create/edit Template:SA-ITOA/local/macros.conf and add the following two stanzas: {noformat}# Take in a string of team_keys in the format of '(sec_grp="itsi_team_key") OR (sec_grp="itsi_team_key")' and returns a filter of service_ids [itsi_events_compare_teams(1)] args = itsi_team_id_list definition = search (service_ids=*null*) OR (NOT service_ids=*) OR [|inputlookup itsi_services_in_team_lookup where ($itsi_team_id_list$) | rename _key as service_ids | eval service_ids="*".service_ids."*" | fields service_ids]
[itsi_groups_compare_teams(1)]
args = itsi_team_id_list
definition = search (itsi_service_ids=*null*) OR (NOT itsi_service_ids=*) OR [|inputlookup itsi_services_in_team_lookup where ($itsi_team_id_list$) | rename _key as itsi_service_ids | eval itsi_service_ids="*".itsi_service_ids."*" | fields itsi_service_ids]{noformat} |
2021-12-03 | ITSI-20314 | Episode not being marked as inactive when bulk close is used |
2021-10-20 | ITSI-19415 | On Windows server, more than 1 rules engines processes are spawned at a time. Workaround: The root cause is the splunk phased_execution_mode. Edit the limits.conf file and add the line:
|
2021-01-21 | ITSI-13167 | On Safari, there is a 10 to 15 second delay when editing a Notable Event Aggregation Policy using the ServiceNow action |
Uncategorized issues
Date filed | Issue number | Description |
---|---|---|
2022-03-24 | ITSI-22641 | Premium features disabled because the ITSI license checker is not finding all the valid licenses, when they are more than 30 licenses installed Workaround: If the customer has more than 30 licenses, remove the expired ones to keep the list short. |
2022-02-16 | ITSI-22140 | Sorted by in Episode Review does not work with "First Event Time" |
2022-02-04 | ITSI-21526 | Endpoint for closing and breaking an episode does not show a warning when all the fields are not provided in payload |
2022-01-31 | ITSI-21357 | Critical issue if the Splunk Add-On for Windows and Windows forwarder (from ITSI Data Integration) are installed on same machine Workaround: To resolve the conflict, add disabled = 0 for all seven stanzas in input.conf file for the universal forwarder. You can find the universal forwarder input.conf file in this location: C:\\Program Files\\SplunkUniversalForwarder\\etc\\apps\\SplunkUniversalForwarder\\local\\input.conf.
|
2022-01-31 | ITSI-21361 | Bad regex in the ITSI Log Messages deduplicated panel of the ITSI health dashboard |
2022-01-07 | ITSI-21005 | Discovery searches are not updating entities |
2021-12-23 | ITSI-20846 | Bidirectional ticketing events being picked up as notable events and retitled as Ticket Event in episodes Workaround: # In etc/app/itsi/local/savedsearches.conf, replace the Bidirectional Ticketing clause with the following: {noformat}[Bidirectional Ticketing] action.itsi_event_generator.param.description = %group_description% action.itsi_event_generator.param.itsi_instruction = %group_instruction% action.itsi_event_generator.param.owner = %group_assignee% action.itsi_event_generator.param.severity = %group_severity% action.itsi_event_generator.param.status = %group_status% action.itsi_event_generator.param.title = %group_title% disabled = 0 dispatch.earliest_time = -4h search = | `itsi_bidirectional_ticketing(main,90,itsi_tracked_alerts)`\ | join group_id\ [ search `itsi_event_management_group_index_with_state("")` | rename itsi_group_id as group_id | stats latest(itsi_group_title) as group_title latest(itsi_group_severity) as group_severity latest(itsi_group_assignee) as group_assignee latest(itsi_group_description) as group_description latest(itsi_group_instruction) as group_instruction by group_id] {noformat}
This should help mitigate the issue while the code fix is in progress. If any of their NEAP action rules has the following condition Template:Create SNOW ticket when number of events is equal to 1, there is a chance that the issue will occasionally come up due to a race condition between the initialization of the episode and the creation of the SNOW ticket. In they notice this occurring, they can either:
|
2021-12-14 | ITSI-20605, ITSI-22366 | Occasionally after upgrade to ITSI 4.9.*, non-admin users get Oops Page - local.meta corrupted during the upgrade Workaround: Clean up all permissions on ITSI views in itsi/metadata/local.meta (and sync on SHC) The workaround is to clean up the stanza in local.meta on the all the SH. remove all the stanza like \[views/....] that have no valid access settings, (access = delete : \[ ], read : \[ ], write : \[ ]) and that are not custom views from your users. As they may be many, to confirm, you can compare to the list in default.meta
And you also can look at the modtime field in the stanza, as they are probably all identical. |
2021-10-25 | ITSI-19489 | The Next Scheduled Time for entity management policies is based on the system time zone, instead of the user's current time zone. |
2021-09-09 | ITSI-18800 | When you add ITSI instances as search peers to another Splunk instance, the peers might be disabled after 72 hours. This is because the ITSI licenses are flagged as duplicates on the search peers. |
2021-09-01 | ITSI-18709 | ITSI 4.9 redirects to suite_redirect 500 Internal Server Error - because of python library isolation between apps Workaround: #Identify all the splunklib directories within the splunk apps directory using command find . -name 'splunklib' | xargs -r ls -lah .
|
All ITSI Modules
Publication date | Issue number | Description |
---|---|---|
2017-03-21 | ITOA-7585 | When you bulk add services and an error caused by the racing condition occurs, the incorrect message "itsi_module does not exist" is displayed. |
2017-03-07 | MOD-979 | KPIs do not have consistent backfill settings across all modules. |
2017-01-17 | MOD-452 | The Analyze KPI button on the Service Details page is broken. |
2017-01-17 | MOD-402 | The Export to PDF option does not work in the drilldown to a module. |
2017-01-17 | MOD-296 | The extendable tab XML generator REST endpoint is located in DA-ITSI-OS instead of in common components where it can be used by all modules. |
2017-01-17 | MOD-591 | ITSI displays a misleading error message when a KPI template contains a field that cannot be resolved. |
2017-01-17 | MOD-498 | There is no upper limit to the number of characters a KPI title or description can contain. Long strings can negatively affect performance. |
2017-01-17 | MOD-309 | The Gruntfile.js included in ITSI modules uses double quotes instead of single quotes, which does not conform to the standard for all JavaScript files. |
2017-04-17 | MOD-2002 | When you drilldown from the Events tab, an "Invalid earliest_time" error occurs.
|
2017-01-17 | MOD-439 | Some modules do not have descriptions for saved searches. |
Application Server Module
Publication date | Issue number | Description |
---|---|---|
2017-01-27 | MOD-492 | If you reuse the same panel within a dashboard, the duplicate panel does not display any event data. |
Cloud Services Module
There are no known issues for this release.
Database Module
Publication date | Issue number | Description |
---|---|---|
2017-01-17 | MOD-586 | When a lookup is not configured for TA-Microsoft-SqlServer, ITSI displays a misleading error message on the server drilldown page. |
End User Experience Module
There are no known issues for this release.
Load Balancer Module
Publication date | Issue number | Description |
---|---|---|
2017-01-27 | MOD-492 | If you reuse the same panel within a dashboard, the duplicate panel does not display any event data. |
Operating System Module
Publication date | Issue number | Description |
---|---|---|
2017-04-13 | MOD-555 | The Storage Free Space % base search runs every minute while the Linux df command runs every 5 minutes. This causes data gaps. |
2017-04-10 | MOD-1964 | Windows data for memory free space is collected at different intervals than the Memory Free % KPI. |
2017-01-17 | MOD-1398 | Line, stack, and area charts do not display a metric gap when no metrics are available during a time period. |
Storage Module
There are no known issues for this release.
Virtualization Module
There are no known issues for this release.
Web Server Module
Publication date | Issue number | Description |
---|---|---|
2017-03-17 | MOD-320 | Some KPI ad hoc searches transform data with the stats command and do not retain time fields. The KPIs do not render anything and do not show thresholding details.
|
2017-03-17 | MOD-538 | When you add a new tab with panels and refresh the page, the page breaks. |
PREVIOUS Fixed issues in Splunk IT Service Intelligence |
NEXT Removed features in Splunk IT Service Intelligence |
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.3
Feedback submitted, thanks!