Known issues in Splunk IT Service Intelligence

This version of IT Service Intelligence (ITSI) has the following known issues and workarounds.

Entities

Date filed Issue number Description
2025-09-05ITSI-41680Users with itoa_user, itoa_analyst roles seeing 403 error when retrieving entity drilldowns in service analyzer.
2024-04-11ITSI-35019, ITSI-35068Entity dashboard page re-renders when the entity sidebar is closed or opened.

Uncategorized issues

Date filed Issue number Description
2025-10-18ITSI-37708Error "PkgResourcesDeprecationWarning: unknown is an invalid version and will not be supported in a future release".

Workaround:

Remove older deprecated library folder /splunk/etc/apps/SA-ITOA/lib/SA_ITOA_app_common/scp_download_simple_crypto-unknown.dist-info.

2025-09-24ITSI-41765Unable to initialize modular input "itsi_summary_worker" after upgrading to ITSI 4.21.0.

Workaround:

Install Python for Scientific Computing and the Splunk AI Toolkit to resolve the issue.

2025-09-18ITSI-41761The upgrade readiness check for Maximum number of events using base search reached displays a false positive error.

Workaround:

Ignore this error if all the instances of this error are a false positive.

2025-09-05ITSI-41681Filter Episode Monitoring alerts before passing them to EventIQ policies.

Workaround:

Update the filtering criteria for the Event iQ policy to filter out all monitoring alerts created by other policies in order to avoid overlap. For example:

AND source does not match *Episode Monitoring*, or AND itsi_policy_id does not match *episode*.
2025-08-19ITSI-41290Splunk throttling is enabled for default connections when disabled in connection payload.
2025-08-05ITSI-41271When clicking impacted services from Episode Review, an error occurs on the Service Analyzer.
2024-10-18ITSI-37708Errors stating PkgResourcesDeprecationWarning: unknown is an invalid version and will not be supported in a future release appear after upgrading Splunk to 9.2.2.

Workaround:

Remove deprecated library folder /splunk/etc/apps/SA-ITOA/lib/SA_ITOA_app_common/scp_download_simple_crypto-unknown.dist-info

2024-06-25ITSI-36467Some actions not running in the rules engine.

Workaround:

Update each search head to disable asynchornous execution of actions in the Rules Engine.

  1. Go to $SPLUNK_HOME/etc/apps/SA-ITOA/local/itsi_rules_engine.properties.

  2. Go to the rules_engine_feature_disabled_list in the file. If this is not in the file, add this value to the file.

  3. Add the value RUN_ACTION_ASYNC to the comma separated list of values 
    rules_engine_feature_disabled_list = POLICY_EXECUTOR_ASYNC_SUB_ACTORS, POLICY_EXECUTOR_STATE_RECOVERY, SORT_NOTABLE_EVENTS, RUN_ACTION_ASYNC

  4. Restart the itsi_event_grouping real time search. Select Activity then Jobs then Set filters to "All" then search label="itsi_event_grouping", and then stop the job. It will restart after a couple of minutes.