Troubleshoot the TISC add-on in Splunk

  • Release version: Australia
  • Updated May 26, 2026
  • 1 minute to read

    • Enable debug logging on the add-on, view the resulting log entries in Splunk, and check input execution status from the Input Metadata Lookup KV store.

    Before you begin

    Role required: Splunk admin

    The TISC add-on is installed and configured. See Configure TISC add-on in Splunk.

    About this task

    Use this procedure when an input is not pulling observables from TISC as expected, when records appear stale or missing in the KV store, or to inspect the execution history of a configured input.

    Procedure

    1. From the add-on, open the Configuration page and select the Logging tab.
    2. Set Log level to DEBUG and select Save.

      Subsequent input runs provide verbose debug statements that can be searched in Splunk.

    3. To view the debug entries, run a search in Splunk that scopes to the add-on's internal logs and filters on the DEBUG level.

      For example:

      index=_internal sourcetype=splunkd "TA-threat-intelligence-security-center" log_level=DEBUG

      Refine the search further by input name or time range to narrow the results to a specific run.

    4. To verify the execution status of each input, look up the inputs_metadata_lookup KV store. 
      | inputlookup inputs_metadata_lookup

      The lookup contains one record per configured input. Each record captures the following fields:

      Table 1. Input Metadata Lookup fields
      Field Description
      configuration_name Name of the account configuration associated with the input.
      historical_fetch_date Start date used the last time Enable Historical Fetch was set on the input. Empty if a historical fetch has not been run.
      historical_fetch_pending Status indicating whether a historical fetch is pending.
      input_name Name of the input.
      last_successful_execution_time Timestamp of the most recent successful execution of the input.
      status Outcome of the most recent execution: success or failure.
      status_message Detail message for the most recent execution, including error context if the run failed.
      .
    5. After you have diagnosed the issue, return to the Logging tab and reset Log level to INFO to stop emitting verbose entries.

    Result

    You have collected the diagnostic information needed to identify why an input failed or returned unexpected results. Provide the relevant log entries and the input's metadata record when raising a support case or working with the add-on team.