Content Pack for ITSI Monitoring and Alerting

Content Pack for ITSI Monitoring and Alerting

Troubleshoot the Content Pack for ITSI Monitoring and Alerting

Follow these troubleshooting tips for the Content Pack for ITSI Monitoring and Alerting if you are experiencing errors or it is otherwise not working as you expect.

Notable Event Aggregation Policy (NEAP) isn't working as expected

Problem

The filter criteria for the below Notable Event Aggregation Policies (NEAP) isn't working as expected:

  • Episodes by Alarm
  • Episodes by Alert Group
  • Episodes by ITSI Service
  • Episodes by Src

Cause

The definition of the NEAPs use this filter criteria:

"config": {
    "field": "itsi_policy_id",
    "operator": "=",
    "value": "<uuid>"
}

In previous versions of the content pack the uuid was hard coded. Ideally, the value for the itsi_policy_id field is the ID of the NEAP.

Solution

Follow these steps to update the value of the itsi_policy_id field to use the ID for the NEAPs:

  1. Log in into the Splunk instance with ITSI.
  2. Go to the IT Service Intelligence app.
  3. Go to Configuration > Notable Event Aggregation Policies.
  4. For each NEAP follow these steps:
    1. Select a NEAP, and select the Filter Criteria and Instructions tab.
    2. Under include the events if, replace the value in the itsi_policy_id field as per this table:
      NEAP Existing itsi_policy_id New itsi_policy_id
      Episodes by Alarm cef5eec4-2dcc-11eb-8ffb-0671d5072164 da-itsi-cp-monitoring-alerting-episodes-by-alarm
      Episodes by Alert Group e3ec489a-04b1-11ea-8567-021bca2da03d da-itsi-cp-monitoring-alerting-episodes-by-alert-group
      Episodes by ITSI Service 48a35d46-0557-11ea-9716-021bca2da03d da-itsi-cp-monitoring-alerting-episodes-by-itsi-service
      Episodes by Src 76073f1c-303c-11eb-8ffe-0671d5072164 da-itsi-cp-monitoring-alerting-episodes-by-src
  5. Select on Preview results to preview the results for the new NEAP filter criteria.
  6. Select Save.

Search attempts generate error messages

Problem

Running a saved search generates one or more error messages saying "Could not load lookup," as for example
Could not load lookup=LOOKUP-itsi_kpi_attributes


Cause

The Content Pack for Monitoring and Alerting depends on lookups that must be generated in your environment. Even if you are not using this Content Pack, these lookups need to exist or you'll see search error messages of the "Could not load lookup" kind.

Solution

To generate the required lookups and fix "Could not load lookup" errors, do the following:

  1. Open a search screen
  2. Run the following search:

| savedsearch CPMA-Lookups-Init

Note that it can take a couple of minutes before search errors related to the lookups disappear.

Missing service_name field

Problem

Missing service_name field for some records of itsi_summary index


Cause

The service_name field is not native to IT Service Intelligence. Earlier versions of the content pack added service_name to new records in the itsi_summary index, but as of Content Pack for ITSI Monitoring and Alerting version 2.3.0, which was released together with Splunk App for Content Packs 2.0.0, the protocol for obtaining service_name changed.

Solution

Use the following SPL command to obtain service_name for a given serviceid:

| lookup service_kpi_lookup _key AS serviceid OUTPUT title AS service_name

For more information, see Obtain service_name.

Last modified on 11 July, 2023
Normalizing cheat sheets for the Content Pack for ITSI Monitoring and Alerting  

This documentation applies to the following versions of Content Pack for ITSI Monitoring and Alerting: 2.3.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters