Splunk® IT Service Intelligence

Administration Manual

Troubleshoot ITSI backups and restores

Here are some common issues related to ITSI permissions and capabilities, backups, and restores, together with recommendations for how to resolve those issues.

User assigned a custom role can't view objects

A user assigned a custom role can't view objects in ITSI


Make sure you've fully completed steps 1-4 in Create a custom role in ITSI.

User has itoa_admin role but can't view objects

A user is assigned the itoa_admin role but is unable to read services or any other objects on their corresponding lister pages.


By default, the itoa_admin role ships with the itoa_analyst and itoa_user roles. The itoa_user role ships with read capabilities for ITOA objects like services, entities, glass tables, and deep dives. Make sure these capabilities haven't changed.

Unable to create an external ticket

A user is assigned the itoa_analyst role with the create_external_ticket capability. However, that user is unable to create an external ticket.


A restriction in Splunk Enterprise means the user needs the itoa_admin role, which inherits from the admin role.

"Access denied. You do not have permission to create this object."

You see access denied errors when attempting to create objects.


ITSI relies on the fact that your admin role inherits from the roles defined in $SPLUNK_HOME/etc/apps/itsi/default/authorize.conf:

importRoles = itoa_admin;itoa_analyst;itoa_user;power;user


Use btool to check system/local/authorize.conf:

 $SPLUNK_HOME/bin/splunk btool authorize list role_admin --debug

You might have redefined the admin role inheritance in system/local/authorize.conf, or in other apps. If this is the case, add the inheritances added from the UI or through the configuration file.

Default scheduled backup not running

After a fresh install or migration, the default scheduled backup isn't running at 1:00 am.


The backup runs at 1:00 am in the timezone of the server. If your local timezone is different than the server's, it might appear to run at a different time.

Alternatively, the modular input for the default scheduled backup runs at every restart, and every hour after that. It's possible to see a maximum of one-hour delays. For example, if the next scheduled time is 1:00am, the modular input runs at 12:45am and 1:45am, the backup will start at 1:45am.

Failed to fetch backup information preview

ITSI fails to fetch backup information preview with ID: <backup_id>


Check https://localhost:8089/servicesNS/nobody/SA-ITOA/backup_restore_interface/backup_restore/preview/<backup_id> to see if the information exists for the given backup ID.

Failed to upload a backup file

ITSI fails to upload the selected backup file.


  • Check the network tab of the browser to see if there's a failed request. Check if you can create a restore job by clicking Create.
  • Make sure the file is valid and not corrupted.
  • Get a new backup file from the backup job. Download this file and try to upload it for restore.

Missing macro makes restore fail

Backup restore attempt fails because one or more of the ITSI objects in the environment was created using a macro that was subsequently deleted, and restore cannot reconcile that Splunk object missing from the environment with the artifact that it helped build in ITSI. To ensure consistency, restore operations attempt to validate all ITSI objects, whether those objects are in the environment or in the backup.


Avoid deleting macros and saved searches that were used to build ITSI objects. Before deleting Splunk objects from your environment, ensure that they are not used in any ITSI objects, because missing objects impact ITSI performance negatively.

Global team is gone after upgrade

The global team is no longer present after an ITSI upgrade.


All services in ITSI must be assigned to a team. If migration fails with the error Failed to import Team settings, you can manually run the Python script called itsi_reset_default_team.py. The script manually creates the Global team in the KV store which completes the migration.

To run the script, perform the following steps:

  1. Run the following commands on any search head in your ITSI deployment:
    cd $SPLUNK_HOME/etc/apps/SA-ITOA/bin
    $SPLUNK_HOME/bin/splunk cmd python itsi_reset_default_team.py
  2. Provide the splunkd port number and your Splunk username and password when prompted.
    After the script finishes successfully, the Global team is created in the KV store.
  3. Restart your Splunk software.

How to check the ITSI logs

IT Service Intelligence log files have a prefix of itsi_.

  • IT Service Intelligence search command logs are located in $SPLUNK_HOME/var/run/splunk/dispatch/<session_id>/itsi_search.log.
  • All other ITSI logs are located in $SPLUNK_HOME/var/log/splunk.

All ITSI logs have a source type of itsi_internal_log to make them easy to search.


  1. Run the following Splunk search to search ITSI logs:

    index = _internal sourcetype=itsi_internal_log

  2. Click the source field under Selected Fields to see specific log files.

For Windows deployments, the ITSI search command log, itsi_search.log cannot be searched in Splunk Web. You must open the file on the Windows host using a text editor.

Cannot use Splunk DB Connect with ITSI

Users can't use the Splunk DB Connect app with ITSI, and are being redirected to the Upgrade ITSI page.


Add the role db_connect_admin or db_connect_user to all users that inherit the itoa_admin and itoa_analyst roles.

Last modified on 22 May, 2024
ITSI metrics summary index reference   Use the ITSI Health Check dashboard

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.18.0, 4.18.1, 4.19.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters