Troubleshoot intelligence workflow

Use the following information to troubleshoot intelligence workflow in Splunk Intelligence Management:

Processing an intelligence workflow

Issue: Intelligence workflow is not processing.
Cause: Intelligence workflows are processed every 40 minutes.
Solution: Wait for 40 minutes because new or edited workflows may need approximately 40 minutes to produce a new destination data set.

Indicators not visible

Issue: Indicator from a new report in the destination data set is not visible.
Cause: Scoring and enrichment of new sources in Splunk Intelligence Management might need up to four hours.
Solution: Wait at least four hours for the enrichment process to be completed and the indicator to be available for intelligence workflows.

Processing a change in the intelligence workflow configuration

Issue: A change in the intelligence workflow configuration is not processing.
Cause: A change or edit to sources or transformations is applied every 24 hours at 12:00 am PST and the updated configuration retroactively recomputes the last 30 days of data at that time.
Solution: Wait at least 24 hours to process change in the intelligence workflow configuration.

Tools to use datasets from intelligence workflows

Issue: Access the datasets in intelligence workflows.
Cause: Intelligence workflow capability will be released into selected workflow applications on a rolling basis.
Solution: Use the data set from an intelligence workflow with existing workflow tools. You can build a custom script using the API for Splunk Intelligence Management version 2.0 for the early releases. For more information, see REST API v2.0 in the Splunk Intelligence Management Developer's Guide.

Also see:

To file a ticket on the Splunk Support Portal, see Support and Services.

If you have a support contract, file a case using the Splunk Support Portal. See Support and Services.

View enclaves for intelligence workflow dataset

Issue: The intelligence workflow data set (enclaves, indicators, or reports) is not visible in the Splunk Intelligence Management web app or in a destination enclave.
Cause: The output from an intelligence workflow is sent directly to a workflow app in Splunk Intelligence Management. Therefore, no enclaves are visible for the data set.
Solution: View specific indicators or reports in the source enclaves.

Verify results of your enclave

Issue: Data from intelligence workflow is not visible.
Solution: Verify the results of your enclave by checking the data set. Splunk Intelligence Management uses the Postman application to display this data so that you can review and modify the workflow as desired before sending the data set to a third-party tool. To review the results of your enclave, see View a dataset in Postman.

View intel workflow in the web app

Issue: Intelligence workflow is not available in the Splunk Intelligence Management web app.
Cause: Intelligence workflow is only available for Enterprise customers, Information Sharing and Analysis Centers (ISAC), and Managed Service Providers (MSP).
Solution: If the Intelligence Workflows icon is not visible on your Navigation toolbar, contact Splunk Support Portal to request early access.