Splunk® IT Service Intelligence


This documentation does not apply to the most recent version of Splunk® IT Service Intelligence. For documentation on the most recent version, go to the latest release.

Troubleshooting modules

This topic discusses problems that can occur with data correlation in the ITSI modules and how to address those problems.

Troubleshooting entities

The following entity-related problems can occur with ITSI modules.

No entities appear when you attempt to define a new service

When you are unable to locate entities after you have configured data collection on entities, the problem has one of several root causes:

You have not configured the technology add-on correctly on the host that you want module and KPI data from. This usually means you either have not installed the correct Splunk add-on on the machine, or have not configured the appropriate inputs within the Splunk add-on to send data.

Windows hosts must have the Splunk Add-on for Windows installed, and *nix hosts must have the Splunk Add-on for Unix and Linux installed. Additionally, these Splunk add-ons must have the correct input stanzas enabled before entities can show up in the service definition dialog in ITSI. To check whether the add-on is configured correctly, see Operating System Module configurations in this manual.
Before ITSI can display entity data, that data must be present on an indexer that ITSI has access to. If you don't see entity data for a host you have configured, consider the following:
  1. Confirm that no firewall or physical network break blocks access between universal forwarder and indexer.
  2. If entities data is slow or late to arrive, you might be experiencing network latency or network errors, or the entities on which the universal forwarder is installed might be experiencing performance issues (for example, CPU and disk).
The Splunk user that uses the ITSI app must have specific permissions and access to indexes that ITSI uses. Otherwise entities don't appear.

Confirm that the user who accesses ITSI can see the indexes that store the data from the host technology add-ons. If that user does not have permission to view those indexes, no host data can appear.

ITSI data can be present in any of the following indexes:

  • main
  • os (from the Splunk Add-on for Unix and Linux)
  • windows (from the Splunk Add-on for Windows)
  • wineventlog (from the Splunk Add-on for Windows)
  • perfmon (from the Splunk Add-on for Windows)

The Entity Details view is not available

If you are unable to see the Entity Details view from within ITSI even after you have defined entities and services, confirm the following:

  • You are in the deep dive view in ITSI. The entity detail view only works in deep dives.
  • You have enabled overlays in a deep dive lane.

The Entity Details view does not show all data on some panels

If you do not see all data on some panels of the Entity Details view, confirm that you have enabled the appropriate inputs in the technology add-on for the entity whose data is missing. Also confirm that you use the correct Splunk add-on for the entity in question and that the end-user viewing the data has the authorized to query the index where the performance data is stored.

Entities are slow to load

Data is unavailable, incomplete, or taking a long time to load. Entity data begins ingestion at service creation time and does not backfill. It takes about an hour to start seeing a full sparkline chart and for KPIs to become active. Drilldowns are Splunk searches that search across the log files and indexes for the time window assigned.

Troubleshooting metrics

The following metrics-related problems can occur with ITSI modules.

No data visible in modules

If you are having trouble viewing your data, run the data model audit to make sure your data models are processing your data.

Some KPIs do not populate

If you do not see some key performance indicators populate within ITSI after you define entities and services, confirm the following:

  • You have configured the Splunk add-ons on a host properly. For details, including sample configuration files, see below.
  • The logged-in user has access to the correct indexes. The user must be able to search the indexes before KPIs can populate.

Troubleshooting permissions

If a user encounters a permission-related obstacle, the issue could be related to their assigned role. ITSI permissions are determined by the role that each user has. Each role offers a different set of permissions.

ITSI access is broken down by the following roles:

Can use ITSI to view services, glass tables, and deep dives. Can create private glass tables or deep dives.
User permissions, plus can own notable events.
Analyst permissions, plus can administer the entire ITSI system.

When a user clicks on a service from the module visualization page, the user's role determines what the user can do and view. By default, admin and analyst roles allow you to create, edit and delete services. Admin level access permissions are required to access the service configuration page.

To locate an existing user or role in Splunk Web, click Settings and select Users or Roles. Use the filter to search for an existing user or role.

Learn about adding navigation to a Splunk app.

Sample configuration files

Navigate to the sample configuration files in the Operating System Module troubleshooting section of the Splunk IT Service Intelligence Modules manual for the the Splunk Add-on for Windows and the Splunk Add-on for Unix and Linux sample configuration files that collect the data and metrics needed to generate the KPIs for the Operating System Module.

Copy and paste them into an inputs.conf file within the appropriate add-on on the host that you want to collect data.

Last modified on 28 April, 2023
Troubleshoot the Web Server Module   ITSI module release notes

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.5, 4.11.6, 4.12.0 Cloud only, 4.12.1 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1, 4.18.0, 4.18.1

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters