Splunk Troubleshooting and Support
Troubleshooting
Events not flowing: If you have configured ObserveIT TA and do not see events flowing into the system, check the internal logs for any error messages.
In the Splunk console, search ta_observeit_observeit_api.log for non-INFO messages:
index=_internal sourcetype="ta:observeit:log" NOT "INFO"
Error: “No previous instances” in TA log
If in the TA log in SPLUNK_HOME\var\log\splunk\ta_observeit_observeit_api.log
A message displays, for example:
2024-01-02 07:01:01,625 INFO pid=612 tid=MainThread file=base_modinput.py:log_info:295 | No previous instances of input 'oit' were found.
This message indicates that you must create the oit index as described in Creating New Index for ObserveIT (example “oit” index).
Support
For help using the ITM On-Prem (ObserveIT) platform, contact Proofpoint support organization.