Related Answers
This documentation does not apply to the most recent version of ITSI.
Click here for the latest version.
Download topic as PDF
Known issues in Splunk IT Service Intelligence
IT Service Intelligence (ITSI) version 4.8.0 has the following known issues and workarounds.
Adaptive Thresholding
| Date filed | Issue number | Description |
|---|---|---|
| 2021-07-28 | ITSI-17991 | AdaptiveThresholding: KPI calculated thresholdValues get overwritten |
| 2021-01-19 | ITSI-13130 | ITSI Adaptive Threshold browser freeze or slow - because threshold preview runs an all time search |
Backup/Restore and Migration Issues
| Date filed | Issue number | Description |
|---|---|---|
| 2021-02-14 | ITSI-13862 | ITSI backup fails if mgmtHostPort is not the default setting in web.conf. Workaround: Back up and restore the KV store. [1] |
| 2021-01-28 | ITSI-13296 | Migration from 4.6.x/4.7.x to 4.8.0 will fail if a dashboard_drilldown has missing attributes and doesn't comply with entity type rules. Workaround: A dashboard_drilldown must comply with the following rules:
|
| 2020-01-31 | ITSI-5578 | Upgrade from version 4.2.1 to 4.4.x or higher fails on importing comments because the new HEC token is missing 'itsi_group_comments_token' Workaround: 1. Go to Settings > Data inputs on your ITSI instance. Locate HTTP Event Collector and verify that the "Token Value" field is empty. 2. If the token value is empty, delete the itsi_group_comments_token token through the UI and recreate it by disabling and reenabling the default_hec_initializer modular input at Settings > Data inputs > IT Service Intelligence HEC Initializer. 3. Disable and reenable the migration modular input at Settings > Data inputs > IT Service Intelligence Migration Modular Input. |
| 2019-07-24 | ITSI-3836 | Objects such as service analyzers, glass tables, and deep dives are missing after upgrade. Workaround: If some objects are missing from the UI or unaccessible after you upgrade, the ACL objects corresponding to the objects might be missing or corrupted. For troubleshooting steps, see https://docs.splunk.com/Documentation/ITSI/latest/Install/Troubleshoot. |
| 2019-07-23 | ITSI-3830 | Upon upgrade to 4.3.x, correlation searches and multi-KPI alerts are missing the 'all_info' field. |
| 2019-05-07 | ITSI-3119 | Upgrade fails because a service template sync was queued. Workaround: Delete the backup using the curl command to change its status to Completed. Then force the service template sync. Restart Splunk software to complete the migration. |
| 2019-01-03 | ITSI-2164 | ITSI backup times out due to an extremely large number of episode comments in the KV store. Workaround: Delete all comments prior to the backup (purge the collections in the KV store) or increase the Splunkd timeout and KV store limits. Then reduce the lifetime of the ITSI notable event collections in the KV store to archive them faster (the default is 6 months). |
| 2018-10-16 | ITSI-1748 | You cannot restore an ITSI backup more than once. Workaround: This issue occurs because the saved search DA-ITSI-APM-EUEM_Base_Search is missing from the system. Create the missing saved search manually before restoring the backup. For example, create a local version of savedsearches.conf and add the following stanza: [DA-ITSI-APM-EUEM_Base_Search] description = search = request.ui_dispatch_app = itsi request.ui_dispatch_view = search |
| 2017-02-10 | ITSI-1309 | If multiple services use one KPI base search, and the total size of your services exceeds 50 MB, ITSI generates an error. Workaround: Increase the value for max_size_per_batch_save_mb (50MB is default) in $SPLUNK_HOME/etc/apps/SA-ITOA/local/limits.conf under the [kvstore] stanza. |
| 2016-05-02 | ITSI-1305 | After migration, shared objects (service analyzers, glass tables, and deep dives) are not accessible. Workaround: Use the curl command and create ACLs for each of the shared objects that are currently saved in the KV store collections: itsi_pages and itsi_service_analyzer. For example: $ curl -u admin:Splunk3r -k https://127.0.0.1:8089/servicesNS/nobody/SA-UserAccess/storage/collections/data/app_acl -X POST -H "Content-Type:application/json" -d '\{
"obj_id": "XXX-XXX-XXX",
"obj_type": "glass_table",
"obj_app": "itsi",
"obj_storename": "itsi_pages",
"obj_acl": \{
"obj_owner": "nobody",
"read": ["*"],
"write": ["*"],
"delete": ["*"]
},
"object_shared_by_inclusion": "true",
"acl_owner": "nobody"
}'
|
Bulk Import
| Date filed | Issue number | Description |
|---|---|---|
| 2021-07-03 | ITSI-17629, ITSI-17628 | Entity Import: Recurring import saved with "role" instead of user name for 'Owner' |
| 2021-02-18 | ITSI-13953 | Row preview of bulk import doesn't return results error 500 |
| 2020-02-05 | ITSI-5623 | KPI searches run into memory limits when trying to reconstruct entity filter causing fewer entities to be used than expected Workaround: Workaround is to increase memory limits for mvcombine and mvexpand splunk search commands. Default for both commands is set at 500, example is to double memory limit. # Make an update to $SPLUNK_HOME/etc/system/local/limits.conf # add the following stanzas: [mvcombine] max_mem_usage_mb = 1000 [mvexpand] max_mem_usage_mb = 1000 |
| 2015-03-25 | ITSI-1293 | In a search head cluster environment, you cannot set up a recurring import (from CSV or search) through the UI. Workaround: 1. Create the modular input through the UI. ITSI adds the input as a new stanza in $SPLUNK_HOME/etc/apps/itsi/local/inputs.conf. It is not replicated across search peers.
Alternatively, if you're familiar with the format of modular inputs, you can create the input yourself. |
Deep Dive
| Date filed | Issue number | Description |
|---|---|---|
| 2019-05-22 | ITSI-3258 | "HTTP 414: URI Too Long" when navigating in the ITSI UI. Workaround: ITSI does not limit URL length, so pages with too many characters fail to load. To work around this issue, limit your request lengths to the following:
|
Entities
| Date filed | Issue number | Description |
|---|---|---|
| 2021-01-05 | ITSI-12881 | Filtering displays entities that have don't match the current filter string on the Entities and Entity Types page. |
| 2015-02-12 | ITSI-1286 | When importing entities using Data inputs > IT Service Intelligence CSV Import, the page overflows. |
Notable Events
| Date filed | Issue number | Description |
|---|---|---|
| 2021-09-29 | ITSI-19043 | For time-based policies, count-based actions for Notable Event Action Policies execute multiple times. |
| 2021-03-18 | ITSI-14834 | NEAP - Action rules are ignored with Break Episode condition based on episodes existed in seconds condition Workaround: Workaround screenshots are provided in the Description. Workaround may not work all the time, but worth trying it. See the description. Workaround: Add an "AND" criteria to the Action Rule which is executing multiple actions. For example, if the Action Rule is "number of events == 1". Then change it to "number of events == 1" AND "the following event occurs whose status matches *" |
| 2021-01-21 | ITSI-13167 | On Safari, there is a 10 to 15 second delay when editing a Notable Event Aggregation Policy using the ServiceNow action |
| 2020-10-22 | ITSI-11620 | Time-based action rules aren't triggered if the flow of events into an episode is paused. |
| 2020-02-27 | ITSI-5932 | ITSI doesn't support running Splunk Enterprise version 8.0.x with Ubuntu 18.04 and Open JDK 11. Workaround: Use Oracle JDK 11 or Open/Oracle JDK 8 instead of Open JDK 11, or use other versions of Linux. |
| 2019-10-15 | ITSI-4663 | Upon upgrade to version 4.3.0 or later, the Rules Engine command fails with error: "Error occurred during initialization of VM". Workaround: This issue occurs because 32-bit Java cannot run the Rules Engine with the new memory settings introduced in version 4.3.x.
|
| 2019-01-03 | ITSI-2164 | ITSI backup times out due to an extremely large number of episode comments in the KV store. Workaround: Delete all comments prior to the backup (purge the collections in the KV store) or increase the Splunkd timeout and KV store limits. Then reduce the lifetime of the ITSI notable event collections in the KV store to archive them faster (the default is 6 months). |
| 2018-12-10 | ITSI-2059 | Some notable events are added to more than one episode. Workaround: For an ITSI search head running Splunk 7.1 or 7.2, create or edit etc/system/local/limits.conf and add the following stanza: [search] phased_execution_mode = auto For an ITSI search head running Splunk 7.3 or later, there is no need to change anything. |
| 2017-03-29 | ITSI-1299 | When your browser and the Splunk server are set to different DST time zones, the incorrect time might display for events in Episode Review. Workaround: Set your time zone to something other than "system default" even if you are in the same time zone as the system default. |
| 2017-03-29 | ITSI-1316 | Splunkd connection fails due to "no_shared cipher matched" between client and server. Workaround: In order for notable event management and anomaly detection to work with Splunk platform 6.6, do the following:
* Download JCE 8 from http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html * Unzip the downloaded file * Place the two jars from the zip file into <java_jre_install_dir>/lib/security/ if running the JRE or <java_jdk_install_dir>/jre/lib/security if running the JDK.
* Download JCE 7 from http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html * Unzip the downloaded file * Place the two jars from the zip file into <java_jre_install_dir>/lib/security/ if running the JRE or <java_jdk_install_dir>/jre/lib/security if running the JDK. Update SA-ITOA/local/commands.conf with the following commands: [itsirulesengine] type = custom command.arg.1=-J-Xmx1024M command.arg.2=-Dlog4j.configurationFile=../default/log4j_rules_engine.xml command.arg.3=-DitsiRulesEngine.configurationFile=../default/itsi_rules_engine.properties command.arg.4=-Dhttps.protocols=TLSv1.2,TLSv1.1 command.arg.5=-Dhttps.cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256 chunked = true [itsicorrelationengine] type = custom command.arg.1=-J-Xmx1024M command.arg.2=-Dlog4j.configurationFile=../default/log4j_correlation_engine.xml command.arg.3=-J-XX:+UseConcMarkSweepGC command.arg.4=-DitsiCorrelationEngine.configurationFile=../default/itsi_correlation_engine.properties command.arg.5=-Dhttps.protocols=TLSv1.2,TLSv1.1 command.arg.6=-Dhttps.cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256 chunked = true Update SA-ITSI-MetricAD/local/commands.conf with the following commands: [mad] type = custom command.arg.1=-J-Xmx1G command.arg.2=-Dlog4j.configurationFile=../default/log4j.xml command.arg.3=-Dlog4j2.threadContextMap=com.splunk.mad.util.MadThreadContextMapcommand.arg.4=-Dhttps.protocols=TLSv1.2,TLSv1.1 command.arg.5=-Dhttps.cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256chunked = true |
| 2016-09-08 | ITSI-1268 | ITSI generates duplicate event_ids from the itsi_tracked_alerts index. This occurs when correlation search results contain an existing event_id. In this case, ITSI picks up the value of the event_id field and does not create a GUID for the event. Workaround: Rename the event_id field. |
| 2016-04-01 | ITSI-1346 | The 'Ping Host' action does not work when ITSI and Enterprise Security are installed on the same machine. Workaround: 1. Add the following stanza to $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecurity/local/inputs.conf:
[app_imports_update://update_es] apps_to_update = (SA-(?!(ITOA|ITSI|IndexCreation|UserAccess)).*) | (Splunk_SA_.*)
2. Delete the "import = *" line from [] stanza of $SPLUNK_HOME/etc/apps/$APP/metadata/local.meta, where APP=SA-ITOA, SA-ITSI-ATAD, SA-ITSI-LicenseChecker, SA-IndexCreation, SA-UserAccess. |
Notable Event Aggregation Policies
| Date filed | Issue number | Description |
|---|---|---|
| 2021-09-29 | ITSI-19043 | For time-based policies, count-based actions for Notable Event Action Policies execute multiple times. |
| 2021-03-18 | ITSI-14834 | NEAP - Action rules are ignored with Break Episode condition based on episodes existed in seconds condition Workaround: Workaround screenshots are provided in the Description. Workaround may not work all the time, but worth trying it. See the description. Workaround: Add an "AND" criteria to the Action Rule which is executing multiple actions. For example, if the Action Rule is "number of events == 1". Then change it to "number of events == 1" AND "the following event occurs whose status matches *" |
| 2021-01-21 | ITSI-13167 | On Safari, there is a 10 to 15 second delay when editing a Notable Event Aggregation Policy using the ServiceNow action |
| 2020-10-22 | ITSI-11620 | Time-based action rules aren't triggered if the flow of events into an episode is paused. |
| 2020-02-27 | ITSI-5932 | ITSI doesn't support running Splunk Enterprise version 8.0.x with Ubuntu 18.04 and Open JDK 11. Workaround: Use Oracle JDK 11 or Open/Oracle JDK 8 instead of Open JDK 11, or use other versions of Linux. |
| 2019-10-15 | ITSI-4663 | Upon upgrade to version 4.3.0 or later, the Rules Engine command fails with error: "Error occurred during initialization of VM". Workaround: This issue occurs because 32-bit Java cannot run the Rules Engine with the new memory settings introduced in version 4.3.x.
|
| 2019-01-03 | ITSI-2164 | ITSI backup times out due to an extremely large number of episode comments in the KV store. Workaround: Delete all comments prior to the backup (purge the collections in the KV store) or increase the Splunkd timeout and KV store limits. Then reduce the lifetime of the ITSI notable event collections in the KV store to archive them faster (the default is 6 months). |
| 2018-12-10 | ITSI-2059 | Some notable events are added to more than one episode. Workaround: For an ITSI search head running Splunk 7.1 or 7.2, create or edit etc/system/local/limits.conf and add the following stanza: [search] phased_execution_mode = auto For an ITSI search head running Splunk 7.3 or later, there is no need to change anything. |
| 2017-03-29 | ITSI-1299 | When your browser and the Splunk server are set to different DST time zones, the incorrect time might display for events in Episode Review. Workaround: Set your time zone to something other than "system default" even if you are in the same time zone as the system default. |
| 2017-03-29 | ITSI-1316 | Splunkd connection fails due to "no_shared cipher matched" between client and server. Workaround: In order for notable event management and anomaly detection to work with Splunk platform 6.6, do the following:
* Download JCE 8 from http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html * Unzip the downloaded file * Place the two jars from the zip file into <java_jre_install_dir>/lib/security/ if running the JRE or <java_jdk_install_dir>/jre/lib/security if running the JDK.
* Download JCE 7 from http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html * Unzip the downloaded file * Place the two jars from the zip file into <java_jre_install_dir>/lib/security/ if running the JRE or <java_jdk_install_dir>/jre/lib/security if running the JDK. Update SA-ITOA/local/commands.conf with the following commands: [itsirulesengine] type = custom command.arg.1=-J-Xmx1024M command.arg.2=-Dlog4j.configurationFile=../default/log4j_rules_engine.xml command.arg.3=-DitsiRulesEngine.configurationFile=../default/itsi_rules_engine.properties command.arg.4=-Dhttps.protocols=TLSv1.2,TLSv1.1 command.arg.5=-Dhttps.cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256 chunked = true [itsicorrelationengine] type = custom command.arg.1=-J-Xmx1024M command.arg.2=-Dlog4j.configurationFile=../default/log4j_correlation_engine.xml command.arg.3=-J-XX:+UseConcMarkSweepGC command.arg.4=-DitsiCorrelationEngine.configurationFile=../default/itsi_correlation_engine.properties command.arg.5=-Dhttps.protocols=TLSv1.2,TLSv1.1 command.arg.6=-Dhttps.cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256 chunked = true Update SA-ITSI-MetricAD/local/commands.conf with the following commands: [mad] type = custom command.arg.1=-J-Xmx1G command.arg.2=-Dlog4j.configurationFile=../default/log4j.xml command.arg.3=-Dlog4j2.threadContextMap=com.splunk.mad.util.MadThreadContextMapcommand.arg.4=-Dhttps.protocols=TLSv1.2,TLSv1.1 command.arg.5=-Dhttps.cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256chunked = true |
| 2016-09-08 | ITSI-1268 | ITSI generates duplicate event_ids from the itsi_tracked_alerts index. This occurs when correlation search results contain an existing event_id. In this case, ITSI picks up the value of the event_id field and does not create a GUID for the event. Workaround: Rename the event_id field. |
| 2016-04-01 | ITSI-1346 | The 'Ping Host' action does not work when ITSI and Enterprise Security are installed on the same machine. Workaround: 1. Add the following stanza to $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecurity/local/inputs.conf:
[app_imports_update://update_es] apps_to_update = (SA-(?!(ITOA|ITSI|IndexCreation|UserAccess)).*) | (Splunk_SA_.*)
2. Delete the "import = *" line from [] stanza of $SPLUNK_HOME/etc/apps/$APP/metadata/local.meta, where APP=SA-ITOA, SA-ITSI-ATAD, SA-ITSI-LicenseChecker, SA-IndexCreation, SA-UserAccess. |
Glass Table
| Date filed | Issue number | Description |
|---|---|---|
| 2021-08-13 | ITSI-18306 | "Service not found" error when switching services in Glass Tables if the service isn't included in the first 100 services Workaround: the only workaround I can think off (which I understand is not ideal) would be to rename the services that user want to user for service swapping of glass table with a prefix like A or something at the beginning of the alphabet or 0 if the service names have numbers. The idea is to have the services display in the first page of the service lister when the count per page is set to 100. Or within the first 5 pages if the count per page is set to 20. |
| 2020-11-25 | ITSI-12266 | Icons linked to a KPI data source with thresholding display a background color. Workaround: Use the a choropleth SVG widget instead of a single value icon. |
| 2020-09-24 | ITSI-11067 | You can only configure the background color of an icon, not the color of the icon itself. |
| 2020-09-17 | ITSI-10866 | If you add a drilldown link that redirects to a saved glass table or dashboard, the glass table or dashboard page doesn't honor the time range from the URL. |
| 2020-09-09 | ITSI-10700 | You can't associate an ad hoc search to a chart visualization. |
| 2020-08-31 | ITSI-10511 | After upgrading, the text in beta glass tables is no longer showing. |
| 2020-04-14 | ITSI-6893 | Beta glass tables don't support Predictive Analytics visualizations. Workaround: After pasting in the search for the ad hoc visualization, enter source mode and locate the visualization. Under "encoding", change the trend from "primary[0]" to "primary.next30m_worst_hs". |
| 2019-11-18 | ITSI-4891 | Visualizations are added with TimeRange tokens even if the time picker doesn't exist. |
KPI Base Searches
| Date filed | Issue number | Description |
|---|---|---|
| 2020-10-13 | ITSI-11465 | You can only choose one split-by field during KPI creation, which causes errors for entities coming from SAI with more than one alias field. Workaround: Enable the following searches depending on the entity type you want to use in your KPI:
This creates a new entity alias field called itsi_entity_id. When you create a KPI for one of these entity types, choose itsi_entity_id as the split-by field. |
| 2020-01-07 | ITSI-5220 | Shared base searches are generating thousands of "Broken Socket" messages but ITSI functionality is not impacted. |
KPI Search Calculation
| Date filed | Issue number | Description |
|---|---|---|
| 2022-01-10 | ITSI-21013 | With custom indexes, when creating new KPI, the backfill checks look to the default itsi_summary instead of the custom one, causing potentially extra backfill. |
Maintenance Window
| Date filed | Issue number | Description |
|---|---|---|
| 2020-10-07 | ITSI-11354 | The maintenance window UI calculation of the daylight saving starting day is incorrect. Workaround: Check the start time displayed as a preview (in UTC) when creating maintenance windows to ensure that your maintenance window is created correctly. |
Role Based Access Controls
| Date filed | Issue number | Description |
|---|---|---|
| 2019-03-29 | ITSI-2860 | If you assign the write_itsi_correlation_search capability to the itoa_analyst role, the role still cannot create a correlation search. Workaround: In addition to assigning the write_itsi_correlation_search capability to the itoa_analyst role, create a local.meta file at SPLUNK_HOME/etc/apps/itsi/metadata/ and add "itoa_analyst" to the [savedsearches] stanza.
For example: [savedsearches] access = read : [ * ], write: [ itoa_admin, itoa_team_admin, itoa_analyst ], delete: [ itoa_admin, itoa_team_admin, itoa_analyst ] export = system |
| 2019-02-08 | ITSI-2455 | Multiple pages break when a role for a disabled app is still associated with a user. Workaround: When you disable or remove an app, make sure to remove the roles belonging to that app from current ITSI users. |
Service Analyzer
| Date filed | Issue number | Description |
|---|---|---|
| 2021-08-05 | ITSI-18101 | Service Analyzer Entity Panel always shows N/A after selecting a KPI that is N/A |
| 2019-09-19 | ITSI-4424 | The itoa_admin role cannot permanently dismiss the cyclic dependency warning. |
| 2019-05-22 | ITSI-3258 | "HTTP 414: URI Too Long" when navigating in the ITSI UI. Workaround: ITSI does not limit URL length, so pages with too many characters fail to load. To work around this issue, limit your request lengths to the following:
|
| 2017-10-04 | ITSI-1290 | Filters with no matching results can't be saved in the Service Analyzer. |
Service Definition
| Date filed | Issue number | Description |
|---|---|---|
| 2016-03-28 | ITSI-1269 | On Windows 10 on Chrome, some selectors in the ITSI app do not function. |
Service Templates
| Date filed | Issue number | Description |
|---|---|---|
| 2021-02-18 | ITSI-13953 | Row preview of bulk import doesn't return results error 500 |
Predictive Analytics
| Date filed | Issue number | Description |
|---|---|---|
| 2019-03-20 | ITSI-2801 | Predictive Analytics occasionally fails to train models on Windows. Workaround: If search.log for the fit command reports the following error: ERROR ChunkedExternProcessor - stderr: ImportError: DLL load failed: The application has failed to start because its side-by-side configuration is incorrect. Please see the application event log or use the command-line sxstrace.exe tool for more detail. To resolve this issue, reinstall of Visual C++ 2008 runtime: [3] |
Splunk App for Infrastructure Integration
| Date filed | Issue number | Description |
|---|---|---|
| 2021-04-19 | ITSI-15662 | SAI-ITSI Alert Integration can desync, missing alerts |
| 2019-05-21 | ITSI-3248 | The itoa_admin role does not have permission to create alerts in SAI. |
| 2018-09-24 | ITSI-1654 | Only 50,000 entities can be imported from the Splunk App for Infrastructure. Workaround: By default, the entity integration imports up to 50,000 entities from the Splunk App for Infrastructure. If you have more than 50,000 entities in Splunk App for Infrastructure, only the first 50,000 will be imported into ITSI. Increase the max_rows_per_query setting in $SPLUNK_HOME/etc/apps/SA-ITOA/local/limits.conf under the [kvstore] stanza to import more than 50,000 entities. |
Uncategorized issues
| Date filed | Issue number | Description |
|---|---|---|
| 2021-12-14 | ITSI-20653 | Linux Data Integrations are non-functional Workaround: If the user doesn't need logs, they can run the installation script with logs deselected, and the UF will not be installed. Otherwise, the user can substitute a link to the tar-file version of the UF that fits from [4]. The specific link depends on which version and which distro they want to use. |
| 2021-11-11 | ITSI-19758, ITSI-15723 | SIM Addon : Intermittent search hang issues |
| 2021-08-24 | ITSI-18527, ITSI-18713 | Entity Cohesion Anomaly Detection showing "No recommendation" |
| 2021-05-12 | ITSI-16577 | SA-ITOA transforms refers to non existing collections - causing errors about MongoModificationsTracker in splunkd.log Workaround: The workaround is either to delete the following unused stanzas from SA-ITOA/default/transforms.conf or replace these unused stanzas in SA-ITOA/local/transforms.conf: [itsi_data_integrations_aws] collection = itsi_services [itsi_data_integrations_azure] collection = itsi_services [itsi_data_integrations_cloud_setup] collection = itsi_services |
| 2021-02-23 | ITSI-14414 | ITSI internal licenses remove customer's Dev-Test licenses since dev-test licenses cannot stack with other license types Workaround: * Disable itsi_license_checker_unbundle input * Re-install Dev/Test licenses * Restart splunk * Keep license_checker_unbundle modular input disabled while Dev/Test license is being used ** Warn customer that without internal license, they may see increased indexing usage on their Dev/Test license |
| 2021-02-03 | ITSI-13387 | Upgrade from 4.6.x to 4.7.x or later fails if icons were uploaded to classic glass tables, and Splunk Enterprise is running on a Python 2 environment. Workaround: Delete custom icons or contact support to identify invalid glass table icons. Upgrade Splunk to a version that supports Python 3. |
| 2021-01-19 | ITSI-13146 | Deep dive is not present on the deep dive page after installing the Monitoring Phantom as a Service content pack. |
| 2021-01-14 | ITSI-13086 | The VMware stanza KV_MODE=json breaks some ITSI VMware dashboard searches. Workaround: Replace the KV_MODE=json stanza with KV_MODE=none in props.conf for the Splunk Add-on for Infrastructure. |
| 2021-01-12 | ITSI-13009 | ITSI Standard suite should display paywall screens for Event Analytics dashboards. |
| 2021-01-06 | ITSI-12921 | On ITSI versions 4.8.0 and prior to 4.8.0, ServiceNow add-on version "6.3.0Rf44f5cb" will not work for Event Analytics. |
| 2020-10-02 | ITSI-11269 | The simple filter on the Infrastructure Overview page runs slowly when you select a dimension with a large number of values associated with it. |
| 2020-09-22 | ITSI-11013 | Searching by dimensions in the Infrastructure Overview that are both alias and info fields causes the filter to only apply to one of the types, without clear indication of which one is applied. |
| 2020-07-18 | ITSI-9516 | If you edit the default navigation of a default entity type, the corresponding dashboard is removed from the dashboard dropdown list in its linked entities and instead appears as a navigation suggestion on the right panel. Workaround: Don't edit the default navigations of any of the default entity types shipped with ITSI. You can still add additional navigations if you want.
|
| 2020-03-20 | ITSI-6421, SCP-24922, SII-6872 | ITSI fails to load on Internet Explorer 11. |
| 2019-06-08 | ITSI-3437 | Correlation searches don't work with real-time searches. |
| 2019-05-30 | ITSI-3322 | If you add a correlation search in ITSI which contains a sub-search returning into an eval, you get a message "Invalid search string: This search cannot be parsed when parse_only is set to true." Workaround: You can't use a sub-search returning into an eval in a correlation search. As a workaround, create and save a basic correlation search with all of the information you want outside of the search. Then as an admin user, go to Settings > Searches, reports, and alerts and open the correlation search you just created. Add the sub-search you were trying to add there. |
| 2019-02-12 | ITSI-2471 | If ITSI is installed on multiple environments with multiple license masters, and any indexer interacts with both environments, a duplicate licensing error occurs because both environments have the same auto-generated ITSI license stack. Workaround: Follow the workaround described in the deployment planning docs for the version of ITSI you're currently using: https://docs.splunk.com/Documentation/ITSI/latest/Install/Plan#ITSI_license_requirements |
| 2018-06-27 | ITSI-1287, ITSI-793 | Correlation searches created by manually editing savedsearches.conf do not appear on the correlation search lister page. Workaround: Do not create correlation searches by manually editing $SPLUNK_HOME/etc/apps/itsi/local/savedsearches.conf. The search will not appear on the correlation search lister page. Always create correlation searches directly in the IT Service Intelligence app. |
| 2015-12-01 | ITSI-1320 | When you install Enterprise Security on a search head with a pre-existing installation of ITSI, the ES-specific roles overwrite the ITSI-specific roles assigned to admin role. This disables access to all read/write objects in ITSI. Workaround: 1. In Splunk Web, go to Settings > Access Controls. 2. Select Roles > admin. |
All ITSI Modules
| Publication date | Issue number | Description |
|---|---|---|
| 2017-03-21 | ITOA-7585 | When you bulk add services and an error caused by the racing condition occurs, the incorrect message "itsi_module does not exist" is displayed. |
| 2017-03-07 | MOD-979 | KPIs do not have consistent backfill settings across all modules. |
| 2017-01-17 | MOD-452 | The Analyze KPI button on the Service Details page is broken. |
| 2017-01-17 | MOD-402 | The Export to PDF option does not work in the drilldown to a module. |
| 2017-01-17 | MOD-296 | The extendable tab XML generator REST endpoint is located in DA-ITSI-OS instead of in common components where it can be used by all modules. |
| 2017-01-17 | MOD-591 | ITSI displays a misleading error message when a KPI template contains a field that cannot be resolved. |
| 2017-01-17 | MOD-498 | There is no upper limit to the number of characters a KPI title or description can contain. Long strings can negatively affect performance. |
| 2017-01-17 | MOD-309 | The Gruntfile.js included in ITSI modules uses double quotes instead of single quotes, which does not conform to the standard for all JavaScript files. |
| 2017-04-17 | MOD-2002 | When you drilldown from the Events tab, an "Invalid earliest_time" error occurs.
|
| 2017-01-17 | MOD-439 | Some modules do not have descriptions for saved searches. |
Application Server Module
| Publication date | Issue number | Description |
|---|---|---|
| 2017-01-27 | MOD-492 | If you reuse the same panel within a dashboard, the duplicate panel does not display any event data. |
Cloud Services Module
There are no known issues for this release.
Database Module
| Publication date | Issue number | Description |
|---|---|---|
| 2017-01-17 | MOD-586 | When a lookup is not configured for TA-Microsoft-SqlServer, ITSI displays a misleading error message on the server drilldown page. |
End User Experience Module
There are no known issues for this release.
Load Balancer Module
| Publication date | Issue number | Description |
|---|---|---|
| 2017-01-27 | MOD-492 | If you reuse the same panel within a dashboard, the duplicate panel does not display any event data. |
Operating System Module
| Publication date | Issue number | Description |
|---|---|---|
| 2017-04-13 | MOD-555 | The Storage Free Space % base search runs every minute while the Linux df command runs every 5 minutes. This causes data gaps. |
| 2017-04-10 | MOD-1964 | Windows data for memory free space is collected at different intervals than the Memory Free % KPI. |
| 2017-01-17 | MOD-1398 | Line, stack, and area charts do not display a metric gap when no metrics are available during a time period. |
Storage Module
There are no known issues for this release.
Virtualization Module
There are no known issues for this release.
Web Server Module
| Publication date | Issue number | Description |
|---|---|---|
| 2017-03-17 | MOD-320 | Some KPI ad hoc searches transform data with the stats command and do not retain time fields. The KPIs do not render anything and do not show thresholding details.
|
| 2017-03-17 | MOD-538 | When you add a new tab with panels and refresh the page, the page breaks. |
Last modified on 26 February, 2022
|
PREVIOUS Fixed issues in Splunk IT Service Intelligence |
NEXT Removed features in Splunk IT Service Intelligence |
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.8.0 Cloud only
Feedback submitted, thanks!