Alerts aren’t appearing in the Episode Review dashboard

How to troubleshoot if alerts aren’t appearing in the Episode Review dashboard.

Causes

This issue could be caused by any of the following reasons:

  1. The definitions for the two content pack search macros, `itsi_cp_catalyst_center_index` and `meraki_index`, don’t point to the indexes used by the add-ons. By default, the default value for both macros is index IN ("main"). If you used different indexes when you configured the add-ons, alerts data will not be ingested in the indexes expected by the content pack knowledge objects.

  2. The data integration connections, which ingest alerts, have not been activated or created.

  3. The Cisco Catalyst Add-On for Splunk and the Cisco Meraki Add-on for Splunk are not ingesting alerts.

  4. Throttling is enabled for the data integration connections, causing data to be de-duplicated for the configured suppress period. This prevents alerts from being ingested to the `itsi_tracked_alerts_index`.

Solutions

Update the content pack search macro definition to point to the correct index for Cisco Catalyst Center

Note: You must have the admin role to perform this step
Complete the following steps to update the content pack search macro definition to point to the correct index.

  1. (Optional) If you need to create an index, see Create events indexes.

  2. Identify the index that the Cisco Catalyst Add-On for Splunk uses:

    1. From the Splunk Enterprise main menu, select Apps, then select Cisco Catalyst Add-On for Splunk.

    2. The Application Setup tab is selected by default. In the table under My Apps, use the Index column to identify the index. By default, this index is set to main.

  3. Update the content pack search macro to use the same index as the add-on:

    1. From the Splunk Enterprise main menu, select Settings, then Advanced Search.

    2. Select Search Macros.

    3. In the App drop-down menu, select Content Pack for Cisco Enterprise Networks (DA-ITSI-CP-enterprise-networking).

    4. In the search bar, enter itsi_cp_catalyst_center_index. Select the index name.

    5. By default, the macro definition is set to index IN ("main"). In the Definition field, change the index value to the index used by the Cisco Catalyst Add-On for Splunk.

    6. Select Save.

Update the content pack search macro definition to point to the correct index for Cisco Meraki

Note: You must have the admin role to perform this step.

Complete the following steps to update the content pack search macro definition to point to the correct index.

  1. (Optional) If you need to create an index, see Create events indexes.

  2. Identify the index that the Cisco Meraki Add-on for Splunk uses:

    1. From the Splunk Enterprise main menu, select Apps, then select Splunk Add-on for Cisco Meraki.

    2. From the Cisco Meraki Add-On for Splunk main menu, select Inputs.

    3. In the table of inputs, use the Index column to identify the index for your inputs. By default, this index is set to main.

  3. Update the content pack search macro to use the same index as the add-on:

    1. From the Splunk Enterprise main menu, select Settings, then Advanced Search.

    2. Select Search Macros.

    3. In the App drop-down menu, select Splunk Add-on for Cisco Meraki (Splunk_TA_cisco_meraki).

    4. Select meraki_index.

    5. By default, the macro definition is set to index IN ("main"). In the Definition field, change the index value to the index used by the Cisco Meraki Add-on for Splunk.

    6. Select Save.

Activate the default data integration connection or create a new connection

If you haven’t activated the default data integration connection or created a data integration connection, complete the following steps.

  1. ITSI 4.21.x and higher: Follow the steps in Configure Cisco Catalyst Center and Cisco Meraki alerts for ITSI 4.21.x and higher to either activate the default connections or create new connections in the Cisco Catalyst Center and Cisco Meraki data integrations.

  2. ITSI 4.20.x and higher: Follow the steps in Configure Cisco Catalyst Center and Cisco Meraki alerts for ITSI 4.20.x and higher to create connections using the generic alerts integrations.

Activate existing data integration connections

If you’ve already created data integration connections, complete the following steps to activate them.

  1. From the ITSI main menu, select Configurations, then Data Integrations. The Integrations library tab is selected by default.

  2. Check the status of your alerts data integrations:

    1. If you configured alerts using the Cisco Catalyst Center and Cisco Meraki data integrations, select the Cisco Catalyst Center and Cisco Meraki chiclets to view the list of active connections.

    2. If you configured alerts using the generic data integration, select the Generic chiclet to view the list of active connections.

  3. Check the Status column for your data connection. If the Status is Inactive, activate the data connection:

    1. In the row for your data connection, select the actions (...) menu.

    2. Select Activate.

  4. If your connection is not displayed in the list of active connections, follow the steps in Configure Cisco Catalyst Center and Cisco Meraki alerts for ITSI 4.21.x and higher or Configure Cisco Catalyst Center and Cisco Meraki alerts for ITSI 4.20.x and higher to create a new connection.

Check if the alerts index contains data

Alerts from the data integrations are ingested in the `itsi_tracked_alerts_index` macro. Complete the following steps to check if this index contains data.

  1. From the IT Service Intelligence (ITSI) main menu, select Search.

  2. In the Search field, enter `itsi_tracked_alerts_index`.

  3. Check if alerts from the data integrations are being ingested by using the source field in the alerts.

    Alert source values are in the format DATA_INTEGRATION_CS-<name_of_data_integration_connection>. Examples of alert source values that contain data integrations:

    1. DATA_INTEGRATION_CS-catalyst_center_default

    2. DATA_INTEGRATION_CS-meraki_default

  4. If alerts aren’t being ingested from a particular source, continue with the following sections on this page to troubleshoot data ingestion.

Troubleshoot data ingestion for the Cisco Catalyst Add-On for Splunk

Complete the following steps to troubleshoot data ingestion for the Cisco Catalyst Add-On for Splunk.

  1. Check that the required data inputs are enabled in the Cisco Catalyst Add-On for Splunk:

    1. From the Splunk Enterprise main menu, select Apps, then select Cisco Catalyst Add-On for Splunk.

    2. The Application Setup tab is selected by default. In the table under My Apps, enable the following inputs based on your use case.
      Data inputDescriptionsourcetype
      Device HealthCollects data for service KPIs and entity dashboards.cisco:dnac:devicehealth
      Security AdvisoryCollects data for entity dashboards.cisco:dnac:securityadvisory
      IssueCollects alerts data.cisco:dnac:issue
      Site TopologyCollects data that enables service import.cisco:dnac:site:topology

  2. Check that the Cisco Catalyst Add-On for Splunk index is collecting data from the inputs that you enabled:

    1. From the ITSI main menu, select Search.

    2. In the Search field, enter `itsi_cp_catalyst_center_index` sourcetype=<sourcetype_name>.Replace <sourcetype_name> with the sourcetype for the input that you enabled. Refer to the previous step for the sourcetype names.

    3. Use the results to confirm if the Cisco Catalyst Add-On for Splunk is collecting data from the input that you enabled. Repeat these steps for each data input.

  3. If data isn't being collected from an input, check the _internal index (which stores Splunk Enterprise internal logs) to identify errors in the add-on:

    1. From the IT Service Intelligence (ITSI) main menu, select Search.

    2. In the Search field, enter index=_internal source=*catalyst*.

    3. Use the results to identify and resolve errors in the add-on.

  4. For more troubleshooting instructions, see the Troubleshooting tab in the Splunkbase listing.

Troubleshoot data ingestion for the Cisco Meraki Add-On for Splunk

Complete the following steps to troubleshoot data ingestion for the Cisco Meraki Add-On for Splunk.

  1. Check that the required data inputs are enabled in the Cisco Meraki Add-On for Splunk:

    1. From the Splunk Enterprise main menu, select Apps, then select Splunk Add-On for Cisco Meraki.

    2. From the Cisco Meraki Add-On for Splunk main menu, select Inputs.

    3. In the table of inputs, enable the following inputs based on your use case.
      Data inputDescriptionsourcetype
      OrganizationsCollects data for service discovery and entity discovery searches.meraki:organizations
      Organizations NetworksCollects data for service discovery and entity discovery searches.meraki:organizationsnetworks
      Wireless Packet Loss by DeviceCollects data for dashboards and service KPIs.meraki:wirelessdevicespacketlossbydevice
      Device Availabilities Change HistoryCollects data for dashboards and service KPIs.meraki:devicesavailabilitieschangehistory
      Assurance AlertsCollects data for alerts, dashboards, and service KPIs.meraki:assurancealerts

  2. Check that the Cisco Meraki Add-On for Splunk index is collecting data:

    1. From the IT Service Intelligence (ITSI) main menu, select Search.

    2. In the Search field, enter `meraki_index` sourcetype=<sourcetype_name>. Replace <sourcetype_name> with the sourcetype for the input that you enabled. Refer to the previous step for the sourcetype names.

    3. Use the results to confirm if the Cisco Meraki Add-On for Splunk is collecting data from the input that you enabled. Repeat these steps for each data input.

  3. If data isn’t being collected for an input, check the _internal index (which stores Splunk Enterprise internal logs) to identify errors in the add-on:

    1. From the IT Service Intelligence (ITSI) main menu, select Search.

    2. In the Search field, enter index=_internal source=*meraki*.

    3. Use the results to identify and resolve errors in the add-on.

  4. For more troubleshooting instructions, see the Troubleshooting tab in the Splunkbase listing.

Check if throttling is affecting alert ingestion

If you completed the steps in the previous sections to troubleshoot data ingestion for the Cisco Catalyst Center Add-On for Splunk and the Cisco Meraki Add-On for Splunk and confirmed that the source indexes ( `itsi_cp_catalyst_center_index` or `meraki_index`) contain alerts data, check if throttling is affecting ingestion from your data integration connections.

If throttling is enabled for your data integration connections, data may be de-duplicated for the configured suppress period, which prevents alerts from being ingested to the `itsi_tracked_alerts_index`.

If data is only sporadically available in the source indexes, throttling could be affecting alert ingestion. For example, consider a data integration connection that has enabled throttling for a suppress period of 59 minutes. If the source index contains no alerts data in the last 60 minutes but contains data older than 60 minutes, it could be due to data throttling.

For more information on throttling, see Throttling in the Event Analytics manual.

Complete the following steps to check or change the throttling setting for a data integration connection.

  1. From the ITSI main menu, select Configurations, then Data Integrations. The Integrations library tab is selected by default.

  2. Select your alerts data integration:

    1. If you configured alerts using the Cisco Catalyst Center and Cisco Meraki data integrations, select the Cisco Catalyst Center or Cisco Meraki chiclet.

    2. If you configured alerts using the generic data integration, select the Generic chiclet.

  3. In the table of connections, select your connection name.

  4. Under Throttling, check the Enable throttling setting. If needed, disable the setting and select Save.