End of Support for Qlik products follows Release Management Policy, as documented in the Product Terms found on the Qlik Site: On-Premise Products Release Management Policy

For detailed information on end of life and release dates, see:

Qlik Sense Enterprise on Windows Product Lifecycle  
Qlik NPrinting Product Lifecycle 
QlikView Product Lifecycle  

Related Content:

• NPrinting 16 to NPrinting 19+ Migration Playbook
• QlikView Release Management and End of Life
• On-Premise Products Release Management Policy

This article will guide you on how to check audit logs to see users' activity on object/sheet/app.

First of all, we would need to enable Audit Logs on Qlik Sense side, to do so, you can follow this guide.

Once done all the steps from the above's guide, then we can check all user activity on object/sheet/level through the Operations Monitor app (from Qlik Sense 2019 release).

In the example below we will see a graphic example of how to check this information from Audit Logs.

User with ID "f9b8183a-bc07-4571-8ccb-94f7a1c5d9db" navigates into app with ID "1e4a22db-7395-46b3-bd43-78bc4cef811f" and then clicks on sheet with ID "1e4a22db-7395-46b3-bd43-78bc4cef811f" and finally selects a dimension:

User performing selections on an app

As we enabled Audit Logs, all traces coming from users selections will be logged on this path location: C:\ProgramData\Qlik\Sense\Log\Engine\Trace\ServerName_Audit_Engine.txt

Now we can check the audit logs directly from Operations Monitor app:

1. Go to Qlik Sense Hub
2. Under streams on the left hand side, click on "Monitoring apps"
3. Then click on "Operations Monitor" app
4. Then we can filter the Audit Logs we enabled before so we can check which actions have been performed on sheet/app level by any user
5. In the example we can see in the gif below, we are performing the following selections to filter:
   1. We first filter by app (where we performed the selections on the bar chart)
   2. Then the gif also shows more filter examples that you could use to filter your data from Audit Logs

Checking logs through the Operations Monitor app

Furthermore, you could also check from logs the object ID and action performed on it on the following columns from C:\ProgramData\Qlik\Sense\Log\Engine\Trace\ServerName_Audit_Engine.txt:

Checking object ID and action performed

Environment

Qlik Sense Enterprise on Windows 

The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.

Related Content 

How to enable Audit Logging in Qlik Sense Enterprise on Windows

What is legacy mode?
Legacy mode in Qlik Sense allows users who have access to the data load editor to write load statements which reference file paths rather than through LIB statements.

Simple example:
Standard Mode:
LOAD * 
FROM [lib://data/data.csv]
(txt, codepage is 28591, embedded labels, delimiter is ',', msq);

Legacy Mode:
LOAD * 
FROM C:\data\data.csv
(txt, codepage is 28591, embedded labels, delimiter is ',', msq);

What are the security considerations when using legacy mode?

Out of the box, for a user to do development in Qlik Sense, they need some combination of two types of access:

1. An ability to create a data connection
2. An ability to read (or see) a data connection

This security model is the intermediary between the user inside of Qlik Sense and the data sources.

When using legacy mode, any user who has access to the Data Load Editor can now access the file system of the local Qlik Sense server as well as any network file shares that the Qlik Sense service account independent of the security rules configured on the Qlik Sense deployment. In this example, the user has access to AttachedFiles, which all users would out of the box, as well as a Salesforce data connection, yet they are still able to load from the data.csv:

This means that the traditional mechanism for ensuring governance and security over data access inside of the Data Load Editor will no longer apply and the user(s) will be accessing the files as the Qlik Sense Service account

What are the benefits of using Legacy Mode?

This is difficult to answer in an exhaustive manner, but generally the benefits are narrowly scoped to deployments where app development, self-service capabilities are disabled or where this level of access is restricted to a vetted set of administrators. Some benefits include:

• The ability to use relative paths in load scripts (e.g. LOAD * FROM ..\..\Customer1\sales.csv). Often used in conjunction with include scripts which allow easy deployment to multiple customers or tenants.
• The ability to use the EXECUTE function (in conjunction with an additional Settings.ini change) to directly call external processes during script execution
• The ability to re-use load statements from QlikView documents in Qlik Sense
• And others

Is legacy mode recommended by Qlik?
For most deployments, no, legacy mode is not recommended. It can be useful in some deployment scenarios where the security concerns are mitigated.

How do I switch to Legacy mode / disable standard mode?
Disabling standard mode - Enabling Legacy Mode - Qlik Sense on Windows

Qlik Sense Legacy mode

Qlik Sense Legacy Mode - Qlik Design Blog

The user that runs the Qlik Sense Enterprise on Windows services is commonly referred to as the Qlik Sense Enterprise service account. The user is defined as the "Log On As" user in Windows service settings. 

In a multi-node deployment it is recommended to use the same domain user for all Qlik Sense services on all nodes the same deployment. 
NOTE: Qlik Sense Repository Database service is an exception, and is expected to always run as Local System.

Confirm the current Qlik Sense Enterprise service account;

1. Login to Windows Server on Qlik Sense node
2. Open Services manager in Windows
3. Sort by Name column
4. Scroll down to show all Qlik Sense related processes in the window
5. Confirm that all services except Qlik Sense Repository Database runs with the same "Log On As" user
6. Repeat above steps on all nodes in the same Qlik Sense site to confirm that the same user is applied 

The Qlik Compose monitoring window takes a long time to load.

This is likely caused by old task entries not being purged from the project's ProjectRepoRuntime.sqlite file. 

ProjectRepoRuntime.sqlite is located in <Instation_folder>\data\projects\PROJECT_NAME
Example (default): C:\Program Files\Qlik\Compose\data\projects\YOUR_PROJECT_NAME              

Resolution 

Upgrade to Qlik Compose 2022.5.0-sp16 (2022.5.1177) or any later version.

After the upgrade, note:

1. The UI performance improvements may not be noticeable immediately, as Qlik Compose deletes a set amount of 500 ghost reference records from ProjectRepoRuntime.sqlite at the end of each successful task completion. Depending on the number of entries that need to be cleaned from ProjectRepoRuntime.sqlite, it can take multiple days before real improvement is seen.
2. Once the UI performance stabilizes, Qlik recommends compressing the ProjectRepoRuntime.sqlite file using a third-party tool such as DB Browser for SQLite.

   It is essential to stop the Qlik Compose service and back up the project folder before compacting the file. Please contact support if any assistance is needed. 

Fixed version

2022.5.0-sp16 (2022.5.1177) and higher

Cause

Recob-7766

Information provided on this defect is given as is at the time of documentation. For up-to-date information, please review the most recent Release Notes with RECOB- 7766 for reference.

The QlikView server creates a last document state or session recovery bookmark ($LASTKNOWNSTATE) when a QlikView document is closed from the Full Browser Client. This allows work to be resumed, even after the session has been terminated. Sometimes, this session or state needs to be cleared.

Symptoms:

A QlikView document does not open and is stuck in:

Resolution:

The last known document state may be attempting to call an invalid state or object created by the user the last time the document was closed.

To clear this, the end-user needs to click the Remove Last Document State button visible in the View Details menu accessible from a link below the document listed on the AccessPoint.
 

Note that clearing the last document state does not mean the session is reset. If the user is still within an active session and they close and re-open the document, the previous session is resumed. This is not the last document state.

The last document state is a bookmark applied at the end of a session.

For a more detailed description, see Session Recovery in QlikView: How to enable it and how it works.

In this Webinar, we covered how to approach a Qlik Sense Enterprise on Windows migration.

The session covers:

• How to Back-Up and Restore
• Managing Certificates
• Potential Pitfalls
• Automation Options
• If assistance is needed, Qlik Consulting would need to be engaged. Qlik Support cannot provide walk-through assistance with server migrations outside of a post-installation and migration completion break/fix scenario.

Resources and Related Content:

Qlik Sense Migration: Migrating your Entire Qlik Sense Environment (Blog post)
Help.Qlik.Com Documentation: Backup and Restore Qlik Sense Enterprise on Windows
Qlik Sense Upgrade Guide
Qlik Admin Playbook

Q&A:

Q: Is it possible to migrate from a standalone installation to a clustered one? 
A: Yes. Once the Central Node has been moved to a new host, additional Rim nodes can be added as usual through the QMC. 

Q: What about the personnal objects created by users (sheets, bookmarks, ...) ?  Are they included in the QSR backup ? 
A: All user objects as well as base sheets are included both in the Apps themselves as well as in the QSR. 

Q: Is this possible to migrate one repository to another server and merge the repository with another one? 
A: Not through the procedure outlined in this webinar. If your goal is to merge content from multiple sites, or seamlessly migrate content, I recommend reaching out to your Account Manager and discuss Qlik Mission Control platform. 

Q: Would the steps given here change if postgres is installed on a stand-alone server?
A: The only steps that would change would be the backup/restore for the DB itself, as this would have to be performed locally on the DB host. Additionally, if the DB location has changed, the QRS connection strings will have to be updated via QlikSenseUtil. 

Q: Is it necessary to have the same release on both servers before migrating ? Or is there compatibility between versions of QlikSense ? 
A: You can restore a database from a previous version on a newer Qlik Sense release and the system will update the internal objects automatically, however the reverse is not possible. It is recommended to perform the upgrade in place, before migrating the server. 

Q: Is it possible to restore without certificate ? 
A: Yes, Trust Root and Qlik Client certificates can be recreated from scratch, however as mentioned during the call, all internal metadata values that were previously encrypted, such as data source connection strings, would have be updated via the QMC by re-entering the connection password and saving. 

In the Qlik View Management Console under Directory Service Connectors, the Custom Users' list has disappeared under Custom Directory.

However, 

• Users are searchable.
• Users are able to log in and access dashboards from the access point.
• CAL information is visible.

Resolution

1. Stop Qlik View Directory Service Connector Service (QDS) and Qlik View Management Service (QMS).
2. Open the "C:\Program Files\QlikView\Management Service\QVManagementService.exe.config" file and increase the message size.
   
   For example:
   
   Add a 0 to the end of the value for MaxRecievedMessageSize
   
   <add key="MaxReceivedMessageSize" value="262144"></add>
   
   to
   
   <add key="MaxReceivedMessageSize" value="2621440"></add>
   
   
3. Start QDS and QMS services.

Environment

QlikView 

Cause

"Custom Users" was intended for a small business to easily get started.

Note that all the users are stored in the same file (CustomDirectoryData.xml). When it grows large to huge it will be slow and when it exceeds the limit of Message size, the User's list will disappear. 

We highly encourage setting up a separate LDAP provider, like OpenLDAP or similar to better handle the volume of users.

Internal Investigation ID(s)

QB-22631

Information on this defect is given as is at the time of documenting. For up-to-date information, please review the most recent Release Notes with the ID QV-22631 for reference.

In multi-node environments, the apps can be reloaded on any node.

Resolution

To set reloads to only run on Rim nodes:

1. Go to the Qlik Sense Management Console
2. Open the Central Node Scheduler
3. In the Advanced menu, select Manager as the Type
4. Open the Rim Node Scheduler(s)
5. In the Advanced menu, select Worker as the Type

Additional steps for Monitoring Apps

By default, all apps are synced to all nodes except for the monitoring apps which reload only on the Central Node.

If you want to move ALL reloads away from the Central node, including the monitor App, then you would need to change the sync rule to change this default behaviour.

To change that sync rule:

1. In the Qlik Sense Management Console open the Load balancing rules
2. Disable the ResourcesOnNonCentralNodes rule
3. Create a new rule with the same settings with ResourcesOnNonCentralNodes rule except changing the condition to " ((node.iscentral="false")) " .  This will sync ALL apps to all nodes included the monitoring apps.

Load balancing rules won't be able to exclude specific tasks from being loaded in the Central Node. Because there is an immutable load-balancing role that says all resources are available on the central node. This is working as designed.

Related Content

Review Pinning/Load Balancing
Load Balancing in Qlik Sense Enterprise on Windows

From Qlik Sense February 2023 onwards, apps listed in the Qlik Sense Management Console (Apps view) are now represented with clickable links. Clicking them will open the app directly on the hub.

This means the app names are no longer plain grey text but are now formatted as links (blue, underline). See Apps for details.

Example: 

To disable clickable links in the Management Console:

1. On your Qlik Sense Enterprise Server, go to C:\Program Files\Qlik\Sense\CapabilityService
2. Open capabilities.json (using for example Notepad++)
3. Search for flag QmcOpenAppInHub 
   Example:
   {
   "contentHash":"2ae4a99c9f17ab76e1eeb27bc4211874",
   "originalClassName":"FeatureToggle",
   "flag":"QmcOpenAppInHub",
   "enabled":true
   },
4. Change "enabled":true to "enabled":false
5. Save and close the capabilities.json file
6. Restart the Qlik Sense Service Dispatcher service from the Windows services console
7. The links are now disabled

Environment

Qlik Sense Enterprise on Windows February 2023 and above

Some script logs are not transferred to Archive log Folder.

Storage Locations:

Qlik Sense log folder:

C:\ProgramData\Qlik\Sense\Log\Script
Log names consist out of the AppID and a year, date, and timestamp.

Archived log Folder:

 \\SERVICECLUSTER-SHARE\ArchivedLogs\NodeName\Script
Log names consist out of the AppID and a year, date, and timestamp.

Environment:

• Qlik Sense Enterprise on Windows, all versions

Resolution:

By design, not all script logs are transferred to the Archived logs folder. Reloads executed from the hub are not transferred. 

1. When reloading data in app via hub, Script log will be left in Script log folder C:\ProgramData\Qlik\Sense\Log\Script

2. When reloading data via QMC/task, Script log will be transferred to Archived logs folder \\SERVICECLUSTER-SHARE\ArchivedLogs\NodeName\Script

Related Content:

• How to find the Script (Reload) logs in Qlik Sense Enterprise

• https://www.ldapadministrator.com/download.htm
• LDAP Admin - Windows LDAP manager 

1. Install LDAP Browser on same machine as QlikView Server, NPrinting or Qlik Sense Enterprise
2. Connect LDAP browser to directory service
3. Validate that connection can be established
4. Browse the person and group records to validate that they can be retrieved

When all steps above can be completed successful the connection is confirmed as valid. Apply the directory path, username, and password in the QlikView, NPrinting or Qlik Sense LDAP configuration. Assistance with modifying filters and ports for LDAP and Active Directory is not in the realm of the Qlik Support SLA.

Another recommendation is to use the ADUC Module from the server and test your LDAP filters there, outside of Sense. This can be added through Roles and Features.

It's also suggested to check if you have a non-default domain policy set in active directory that enforces all LDAP authentication to be secured with SSL. This policy on the domain controller is: "Domain controller: LDAP server signing requirements" and if set to "Require signing" the LDAP data-signing option must be negotiated. The customer's IT Dept will need to verify.


Note: Qlik Support assists in diagnosing user directory imports, however if a new LDAP filter is applied using the User Directory Connector feature of the QMC, and the users are not imported, then this is considered an environmental-related issue and Qlik Consulting Services will need to be elected by clients if they'd like further assistance. Qlik Support is for break/fix of embedded Qlik features and any external or third-party integrations or interactions requires consulting services to assist.

Related Content:

• Qlik Sense on Windows: Configuring and testing LDAP filters for User Directory Connector

• Sync Active Directory users from multiple domains with Advanced LDAP - Qlik Sense Enterprise on Windows

• How to connect to Active Directory using the Generic LDAP Connector

• QlikView: How to configure LDAPS with the Directory Service Connector

• Qlik Sense: User Directory Connector - LDAPS Support and Testing

• How to Filter Active Directory users when Synchronizing them with Qlik Sense Users

• How to get LDAP filters for Active Directory groups from users already in Qlik Sense

• User Directory Connector is configured and users are syncing, but authentication fails

Qlik Cloud tenants are the highest level of logical isolation provided to our customers. The subscriptions and associated entitlements (also known as licenses) that customers purchase from Qlik are not fixed to these tenants. When needed, a customer can update the entitlement used by their tenant. This article covers how to do this, as well as all considerations before moving.

You should not attempt to update your tenant entitlement unless directed to do so by Qlik, or you are an OEM customer who is managing multiple entitlements for their estate.

Content:

• Why you might need to update your entitlement
• Considerations
• How to update the entitlement for your tenant
• 1. Retrieve the signed license key (SLK) for your entitlement
• 2. Export the current user assignments
• 3. Update the tenant entitlement
• 4. Reassign user assignments

Why you might need to update your entitlement

There are three scenarios where you might need to update your entitlement:

1. You have been directed to do so by Qlik support or another Qlik team
2. You are an OEM customer who purchased multiple subscriptions, and who wishes to merge these into your new multitenant entitlement
3. You are an OEM customer who is managing multiple multitenant entitlements

If you are an OEM or Enterprise customer leveraging multiple tenants in Qlik Cloud, please also consider reviewing the Platform Operations series on qlik.dev to learn more about managing these estates prior to changing your entitlements.

Considerations

Before you begin migrating your subscription or entitlement, consider:

• When changing entitlements, all assignments will be lost. This means any user who has previously been assigned a named entitlement (such as a professional-, analyzer-, full- or basic user entitlement) will need to have their entitlement reassigned. 
• Any entitlement changes are immediate. If your new entitlement is missing features or capabilities compared to the original entitlement, or it has less capacity than the original entitlement, then components in the tenant may not function as expected, or users may be impacted. As a good practice, verify the new entitlement on another tenant before applying the changes, or apply the change outside of working hours for the majority of your users.
• Original assignments are not restored if you re-apply the original entitlement. Although you are able to re-apply the original entitlement, it will not restore the original assignments, and some capabilities that may have been disabled through the move might need manually re-enabling.
• The Service Account Owner of the entitlement is the individual who has access to the tenant recovery capabilities. Make sure you know who the Service Account Owner is for the new entitlement before you move the tenant.

How to update the entitlement for your tenant

Updating the entitlement requires four steps:

1. Retrieve your signed license key 
2. Export the current user assignments
3. Update the tenant entitlement
4. Reassign  User assignments

1. Retrieve the signed license key (SLK) for your entitlement

Your SLK is available through:

• The welcome email sent when the entitlement was generated
• Qlik support, if you only have the numeric subscription or entitlement number available
• Any tenant already deployed to that entitlement
  
  To find the entitlement via an existing tenant, log into a tenant linked to the entitlement, and navigate to https://<hostname>.<region>.qlikcloud.com/api/v1/licenses/overview
  
  This will return a license definition, from which you can pull out the SLK. In the example below, you can see "licenseKey". We need the long value, e.g.: "eyJhbGciOiJSUzUxMiIsImtpZCI6ImE...".
  
  

  {"licenseNumber":"1234 5678 1234 5678","licenseKey":"eyJhbGciOiJSUzUxMiIsImtpZCI6ImEzMzdhZDE3LTk1ODctNG....","valid":"./2023-10-08","status":"Ok",...}

2. Export the current user assignments

When you migrate between entitlements, any user assignments will be reset. You will need to export any current assignments if you wish to reassign them. 

There are three ways of doing this:

1. Call the licenses/assignments API endpoint via script:
   
   

   curl -L -X GET 'https://<hostname>.<region>.qlikcloud.com/api/v1/licenses/assignments' \ -H 'Authorization: Bearer ey....' \ -H 'Content-type: application/json' \ -H 'Accept: application/json'

   
   
   
2. Log into the tenant you wish to bring onto the entitlement as a user with the Tenant Admin role. Then open the following address: https://<hostname>.<region>.qlikcloud.com/api/v1/licenses/assignments

   
   If you have many users, both option a and b will require you to paginate to get all results.
   
   Results will look like:

   {     "data": [         {             "subject": "QLIKBOT\\f0e92f326ac77427df155940fec39e6a",             "type": "professional",             "excess": false,             "created": "2022-10-20T13:46:29.474Z"         },         {             "subject": "auth0|a08d000001f0wjria3",             "type": "professional",             "excess": false,             "created": "2022-10-06T09:21:13.265Z"         },         {             "subject": "QLIKBOT\\52b7313d6705e2873eaadb9be23d8c06",             "type": "professional",             "excess": false,             "created": "2022-10-05T12:46:01.716Z"         }     ],     "links": {         "next": {             "href": ""         },         "prev": {             "href": ""         }     } }

   
   
   
3. Log into the tenant you wish to bring onto the new entitlement as a user with the Tenant Admin role, and use an automation to export these assignments. The example below returns the list as a table to the automation output. To import this automation, simply create a new automation, right click, then import the workspace JSON file attached to this post (automation-template-export-license-assignments.json).
   
   Output of attached automation template
   
   Note that for tenants with a large number of users, you will need to output the records to a file as the output window will eventually be capped.

3. Update the tenant entitlement

1. Log into the tenant you wish to bring onto the new entitlement as a user with the Tenant Admin role
2. Click your Profile
3. Click About
   
   
   
   
4. Click the key icon next to Subscription ID
   
   
   
   
5. Enter the SLK for the multitenant entitled subscription
   
   
   
   
6. Click Submit

4. Reassign user assignments

If required, reassign entitlements which were exported in step 2. You can do this in two ways:

1. Manually, by navigating to the management console.  See Assigning user entitlements | Help.qlik.com.
2. Programmatically by using automations or raw API calls.
   
   An example API call to assign an entitlement is shown below.
   
   Example cURL code to assign an entitlement (can also be done in automations):
   

   curl -L -X POST 'https://<hostname>.<region>.qlikcloud.com/api/v1/licenses/assignments/actions/add' \
   -H 'Authorization: Bearer ey...' \
   -H 'Content-type: application/json' \
   -H 'Accept: application/json' \
   --data-raw '{
       "add": [
           {
               "subject": "1ef2caed0dbe0a66a24ccadf61546099",
               "type": "professional"
           }
       ]
   }'

The information in this article is provided as-is and to be used at own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.

This article shows how to use the Qlik Application Automation Monitoring App. It explains how to set up the load script and how to use the app for monitoring Qlik Application Automation usage statistics for a cloud tenant. 

Index:

• How to configure the load script
• Qlik Application Automation Monitoring app content
• Loading data
• Limitations

The app included is an example and not an official app.  The app is provided as-is.

How to configure the load script

There are four steps for the configuration of the load script:

1. Configure your tenant here by typing the name of your tenant and region here: 
   
   
   
   
2. Configure your data connection by typing the name of an existing data connection. The data connection must be configured in the pane to the right, see picture. If you do not have one, you must create one.
   
   
   
   
3. Configure your data folder location here:
   
   
   
   
4. Configure your time zone here, using deviation from GMT, for example, Central European time +1: 
   
   
   
   

Qlik Application Automation Monitoring app content

The monitoring app includes four sheets that present various information on the Qlik Application Automation usage in the current tenant.

Automations

Filtering is available based on Automation Name, Last Run Status, Run Mode, State & Status.

•  # Runs last 30 days
• Automation runs last week
• Automations in tenant
• Automations utilized last 30 days
• Average # of runs
• Average runs per day
• Successful runs last 30 days
• Successful runs last week

Failed vs successful automation runs

• # Runs total
• Average runs per day
• Days of data
• Failed runs
• Number of failed runs per automation
• Number of runs last 30 days per user
• Percentage failed
• Runs per automation
• Successful runs

Automation run history last 30 days and weekly respectively

• Number of runs last 30 days
• Number of runs per month

Total hourly distribution

• Hourly distribution last 30 days
• Total automation runtime last 30 days

Loading data

The Qlik Application Automation Monitoring app facilitates incremental load, that is, only added data is loaded into the app. 

Important: Qlik Application Automation runs are only stored for 30 days. When data is loaded into the app for the first time, only 30 days of history is loaded, thus only 30 days of history will be available in the app. After this initial data load, data older than 30 days will be available in the app thanks to the incremental data load. If data is loaded at least once every 30 days, continuous data will be available in the app. 

Limitations

1. At the initial load, only 30 days of history are loaded. This is because Qlik Application Automation history is only stored for 30 days. 
2. For continuous data in the app, data must be loaded at least every 30 days. 
3. The API can only return the last 5000 runs for every automation. Please keep this in mind when scheduling the reloads of this app. 

Environment

Qlik Cloud 
Qlik Application Automation 

The information in this article is provided as-is and is to be used at your own discretion. Depending on tool(s) used, customization(s), and/or other factors ongoing support on the solution below may not be provided by Qlik Support.

The max parallel session count cannot be configured.

Qlik Sense Enterprise on Windows allows for a maximum of five parallel sessions from one user. If the maximum is reached, the sixth connection will fail with:

You cannot access Qlik Sense because you have no access pass. Too many sessions active in parallel

For more information, see: 

You cannot access Qlik Sense because you have no access pass
How to count sessions in Qlik Sense 
Troubleshoot too many sessions active in parallel

To eliminate the chance that AntiVirus, AntiMalware, and other security-related software cause corruption or lock up files in the Qlik environment, or cause issues during an installation/upgrade/patch, some folders should be excluded from live scanning.

• The impact of Anti-virus, Endpoint detection and response (EDR) and Advanced Threat Prevention (ATP) scans locking Qlik-related files (such as .qvf files, as well as NPrinting task files, etc...) can result in loading and refresh failures as well as performance issues.
• Qlik Sense requires access to predetermined TCP and UDP ports to function. If anti-virus software prevents traffic on these ports, Qlik Sense may not function as expected. This can include running exe files, data connections, etc.
• Qlik Sense constantly updates several log files and relies on multiple config and binary files to function correctly. If the anti-virus software is scanning these files and folders, then this may cause upgrades/installation to fail, performance issues, or cause the services to fail.

For an example demonstrating exclusions with Symantec, see Antivirus exceptions for Qlik Sense- McAfee, Symantec & Other Anti-Virus exclusions absolutely required

The following folders should be considered for an exception:

Note 1: Verify requirements on the Qlik Sense Online Help for the installed version
Note 2: A machine reboot is required after exclusions are made
Note 3: For Qlik Sense Desktop additional locations, see the appropriate Qlik help page for the version being installed. See Installing Qlik Sense Desktop.

• %ProgramData%\Qlik
• All executables under %Program Files%\Qlik\Sense
• All executables under %ProgramFiles%\Common Files\Qlik\Custom Data
• The PostgreSQL database/data folder: If you have previously unbundled PostgreSQL or have installed a standalone PostgreSQL instance, the relevant \PostgreSQL\ folders should be considered as well. For a setup which was unbundled using QPI, this may be C:\Program Files\PostgreSQL\14. For manually installed instances, see Running & Installing PostgreSQL On Native Windows
• Any QVD files (or the folder where you save your QVDs) you may use to read/write during your reloads. 
• The full share root folder location which includes the App folder configured in the Service Cluster. The app folder stores all app files. In latest releases of Qlik Sense, files with .lock extensions are generated, and each binary app file has its own .lock file. These file must be excluded from analysis as well.
• It is not recommended to exclude the Static Content root folder in the Service Cluster, as this is the target location for end user uploads
• Make sure that the Antivirus doesn't block  Qlik Sense from updating the keys in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ , as this will block the system bootstrap. 

Ports to be excluded from Anti-Virus Monitoring / Blocking

• See the relevant piece of documentation for your version of Qlik Sense: Help Site > Deploy > Planning your deployment > Architecture > Ports
• Sophos Antivirus will require 127.0.0.1 *  to be excluded

Certificates

Make sure that the anti-virus is not blocking access to certificates stored in the following location and their private keys: Personal (Local Computer), Trusted Root Certification Authorities (Local Computer), Personal (Current User for the service account)

EDR and ATP 

Please note that usual anti-virus exclusions might not apply to the EDR and ATP setup. Speak to your solution vendor to get the exclusions in place. For example, if you use Microsoft's Advanced Threat Protection (Microsoft Defender for Endpoint), then the exclusion list is handled by Microsoft, and you will need to open a ticket with Microsoft to get an exclusion in place. 

Due to the different versions of Qlik Sense and Enhancement, to obtain a list of exclusions for EDR and ATP, you can use the following commands.

1. Open a Windows Command line as Administrator. 
2. Run the following commands to obtain a file list: 
   1. C:\Program Files\Qlik>dir /s *.exe > exclussionfolder1.txt
   2. C:\ProgramData\Qlik>dir /s *.exe > exclussionfolder2.txt 
   3. C:\ProgramData\Qlik\Sense>dir /s *.qvd > exclussionfolder3.txt
   4. C:\ProgramData\Qlik\Sense>dir /s *.qvf > exclussionfolder4.txt
   5. C:\Program Files\Common Files\Qlik>dir /s *.exe > exclussionfolder5.txt

It is best to have the fileserver (SharedFolder) not in the policy for ATP/EDR scan.

Note: Qlik Support cannot provide support and services for any Qlik Servers in which performance issues, port issues, installation, patching, or upgrading problems occur if these directories are not made exempt for any and all Anti-Virus solution. It will be best-effort, as the exclusions of these directories is a prerequisite to Qlik software.

Ref: Qlik Sense Help, Deploy > Troubleshooting - Deployment > Anti-virus software scanning affects performance

 

Operation Monitor and License Monitor apps in Qlik Sense failed to reload with error message;

"Error: QVX_UNEXPECTED_END_OF_DATA: Unexpected character encountered while parsing value: <. Path '', line 0, position 0."

Step 1: Verify the connection string

Check the connection string of the data connections for your monitor_apps_*.
The connection string should be: queryHeaders=X-Qlik-XrfKey%20000000000000000%1User-Agent%2Windows;PaginationType=None; 
If the string is instead: queryHeaders=X-Qlik-XrfKey%20000000000000000%1User-Agent%2Forms;PaginationType=None;  then modify it to User-Agent%2Windows.

Step 2: Create a second Virtual Proxy allowing Windows authentication. 

Create a secondary virtual proxy using standard windows authentication. In our example we use "win" as the prefix. For detailed instructions on how to add a new Virtual Proxy, see Qlik Sense: How to create a new Virtual Proxy. 
 

Step 3: Modify the Data Connection prefixes

Edit all Data Connections prefixed with monitor_apps_ to use the new virtual proxy. Change the connector URL path to contain the Windows authenticated virtual proxy.

Cause:

Operations Monitor and License Monitor apps use the Qlik REST Connector to fetch data. The connector requires Windows Authentication to be successful in fetching data. This issue occurs when no virtual proxy in the Qlik Sense deployment utilizes Windows authentication.