Splunk® IT Service Intelligence

Release Notes

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of ITSI. Click here for the latest version.
Acrobat logo Download topic as PDF

Known issues in Splunk IT Service Intelligence

IT Service Intelligence (ITSI) version 4.11.5 has the following known issues and workarounds.

Bulk Import

Date filed Issue number Description
2021-06-09 ITSI-17178 Some ITSI Import Objects saved searches fail to merge entities with the host field and may create duplicate entities.

Workaround:
#Disable ITSI Import Objects - VMware VM.
  1. Copy the ITSI Import Objects - VMware VM saved search, but change the entity_merge_field attribute to host.
  1. Enable the updated ITSI Import Objects - VMware VM search.

Deep Dive

Date filed Issue number Description
2022-05-19 ITSI-24186 Auto save for a default deep dive is not working.

Entities

Date filed Issue number Description
2022-01-18 ITSI-21193 Splunk dashboard's input dropdown searches aren't running within ITE Work entity detail view

Workaround:
The following dashboards are affected by this issue:
  • Applications Crashes
  • Application Installs
  • Event Monitoring
  • Network Activity
  • Windows Update

To work around this issue, add earliest and latest values to dashboard XML. Follow these steps to add the earliest and latest values to the XML:

  1. Go to Dashboards > Dashboards.
  2. Select the dashboard from the list.
  3. Select Edit.
  4. Select Source.
  5. Add earliest and latest values inside the <search> tags for all dropdowns:
  6. Select Save.

Example dashboard XML:

<search>
<query>| inputlookup windows_netmon_system | dedup Host | sort Host</query>
<earliest>0</earliest>
<latest>now</latest>
</search>

See https://docs.splunk.com/Documentation/ITSI/4.12.0/Entity/EntityType#configure-time-range-picker-tokens-in-your-dashboards for more info.

Notable Events

Date filed Issue number Description
2022-07-06 ITSI-24871 NEAP breaking criteria not obeying OR condition when time based conditions are selected

Workaround:
Keep the time based breaking conditions i.e. "_If this episode existed for:_ " and "_if the flow of events in the episode paused for:_" at the end of the OR conditions and the "_The following event occurs_" condition as first.
2022-06-30 ITSI-24808 ITSI rules of episode breaking conditions don't work

Workaround:
The breaking criteria followed by the timebased(i.e. the episode existed for/ the flow of the events into the episode is paused for) breaking criteria would be ignored

Make sure that the timebased policy is the last rule in the breaking critieria for the other rules to be followed

Notable Event Aggregation Policies

Date filed Issue number Description
2022-07-06 ITSI-24871 NEAP breaking criteria not obeying OR condition when time based conditions are selected

Workaround:
Keep the time based breaking conditions i.e. "_If this episode existed for:_ " and "_if the flow of events in the episode paused for:_" at the end of the OR conditions and the "_The following event occurs_" condition as first.
2022-06-30 ITSI-24808 ITSI rules of episode breaking conditions don't work

Workaround:
The breaking criteria followed by the timebased(i.e. the episode existed for/ the flow of the events into the episode is paused for) breaking criteria would be ignored

Make sure that the timebased policy is the last rule in the breaking critieria for the other rules to be followed

KPI Search Calculation

Date filed Issue number Description
2022-05-31 ITSI-24437 KPI with split by entity stops working after upgrade to 4.11.5.

Workaround:
This command seems to get the KPI calculation going again:

/opt/splunk/bin/splunk cmd python /opt/splunk/etc/apps/SA-ITOA/bin/kvstore_to_json.py -m 4

2022-04-21 ITSI-23110 When summary index has huge data KPI edit workflow takes a long time from Step-1 to Step-2.
2022-01-10 ITSI-21013 With custom indexes, when creating new KPI, the backfill checks look to the default itsi_summary instead of the custom one, causing potentially extra backfill.

Uncategorized issues

Date filed Issue number Description
2022-08-09 ITSI-25749 Vital metrics data doesn't populate when there are more than 100 entities in ITSI 4.11.5
2022-07-13 ITSI-24985 Entities don't retain metadata on becoming inactive for conflict resolution of type replace.
2022-03-24 ITSI-22641 Premium features disabled because the ITSI license checker is not finding all the valid licenses, when they are more than 30 licenses installed

Workaround:
If the customer has more than 30 licenses, remove the expired ones to keep the list short.
2022-01-31 ITSI-21357 Critical issue if the Splunk Add-On for Windows and Windows forwarder (from ITSI Data Integration) are installed on same machine

Workaround:
To resolve the conflict, add disabled = 0 for all seven stanzas in input.conf file for the universal forwarder. You can find the universal forwarder input.conf file in this location: C:\\Program Files\\SplunkUniversalForwarder\\etc\\apps\\SplunkUniversalForwarder\\local\\input.conf.
  • \[perfmon://CPU]
  • \[perfmon://LogicalDisk]
  • \[perfmon://Memory]
  • \[perfmon://Network]
  • \[perfmon://PhysicalDisk]
  • \[perfmon://Process]
  • \[perfmon://System]
2021-12-14 ITSI-20605, ITSI-22366 Occasionally after upgrade to ITSI 4.9.*, non-admin users get Oops Page - local.meta corrupted during the upgrade

Workaround:
Clean up all permissions on ITSI views in itsi/metadata/local.meta (and sync on SHC)

The workaround is to clean up the stanza in local.meta on the all the SH. remove all the stanza like \[views/....]  that have no valid access settings, (access = delete : \[  ], read : \[  ], write : \[  ]) and that are not custom views from your users.

As they may be many, to confirm, you can compare to the list in default.meta And you also can look at the modtime field in the stanza, as they are probably all identical.

2021-09-01 ITSI-18709 ITSI redirects to suite_redirect 500 Internal Server Error - because of python library isolation between apps

Workaround:
#Identify all the splunklib directories within the splunk apps directory using command find . -name 'splunklib' | xargs -r ls -lah.
  1. For each directory listed in step 1, check if file six.py is present.
  1. Copy the six.py from an existing splunklib directory into all the missing directories.
  1. Clean the cached files using find . -name "*.pyc" -delete
  1. Reload the ITE Work app.
Last modified on 11 August, 2022
PREVIOUS
Fixed issues in Splunk IT Service Intelligence
  NEXT
Removed features in Splunk IT Service Intelligence

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.5


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters