After distributing the Consumption Report app from Qlik Cloud Administration > Settings, scheduled reloads of the app fail with the following error: 

Error: $(MUST_INCLUDE= [lib://snowflake_external_share:DataFiles/Capacity_Usage_Script_PROD.txt] cannot access the local file system in current script mode. Try including with LIB path.

Environment

• Qlik Cloud Analytics
• Qlik Talend Cloud

Resolution

The Consumption Report app isn't meant to be reloaded. The app should be distributed from Qlik Cloud Administration > Settings each day. Refer to Distributing detailed consumption reports for details:

Redistribute the app to obtain the most recent data. Apps stored on your tenant exist as separate instances and are not replaced by newer ones.

On the Talend side, refer to Distributing Data Capacity Reporting App for Talend Management Console for details on how to set up capacity reporting.

Cause

The Report Consumption app is meant to be distributed from Qlik Cloud Administration > Settings and not updated by a scheduled reload of the app.

Qlik Sense on-prem comes with an option to set a custom filter when creating a task. However, some custom filters are unable to be set with an error:

Value of Custom filter does not follow the correct pattern: [**-*****]

Example: 19-24 is acceptable, but 20-24, 21-24, 22-24, 20-23, 20,21,22,23,24 are not.

Resolution

This issue has been identified as a defect (ID QCB-29415), which is expected to be fixed in the Qlik Sense Enterprise on Windows November 2025 release.

Workaround:

Set multiple triggers for each hour.

Fix Version:

Qlik Sense Enterprise on Windows November 2025.

Environment

• Qlik Sense Enterprise on Windows, all versions leading up to November 2025

Information provided on this defect is given as is at the time of documenting. For up-to-date information, please review the most recent Release Notes or contact support with the ID QCB-29415 for reference.

A user's last login timestamp can be retrieved using the Qlik Audit API and filtering by the event type: com.qlik.user-session.begin

For more information, see: Audits.

The login timestamps can also be obtained from the Qlik Cloud Entitlement Analyzer app.

Environment

• Qlik Cloud Analytics

The Qlik Education and Certification team can assist in troubleshooting issues related to training, certification, badges, and similar topics. This article highlights who to contact for which problem.'

The Qlik Education team

Reach out to education@qlik.com if you experience:

• Issues related to training scheduling, registration, and billing
• Issues purchasing Qlik Learning subscriptions, Instructor-led training

See Contact Qlik Education for additional details.

Certification Team

Reach out to certification@qlik.com if you experience:

• Issues related to completing the Certification
• Issues accessing the Certification on Credly

Certifications are available on Credly and are issued within 48 hours of earning your certification. Additional time may be required due to holidays or weekends. If the certificates remain unavailable, contact the Certification Team. Note that it will take another 48 hours before the Completed Exam Certification is issued.

This guide briefly offers a step-by-step process on how to set up key-pair authentication for Snowflake in Talend Studio at Job level

The process can be summarized in three steps:

1. Creating the .p12 file with Open SSL
2. Configuring Snowflake
3. Configuring Talend Studio at Job Level

Creating the .p12 File with Open SSL

The .p12 file contains both the private and public keys, along with the owner's details (such as name, email address, etc.), all certified by a trusted third party. With this certificate, a user can authenticate and identify themselves to any organization that recognizes the third-party certification. 

Talend tSetKeyStore component itself can only take in .jks or .p12/.pfx format. If you are using PKCS8 format, you need to convert your p8 certs into a supported format. 

1. Generate the key with the following command line prompt:

   openssl genpkey -algorithm RSA -out private.key -aes256

   This will generate a private key (private.key) using the RSA algorithm with AES-256 encryption. You'll be prompted to enter a passphrase to protect the private key.
   
   
   
   
   
   
2. Generate a self-signed certificate using the following command line prompt:
   

   openssl req -new -x509 -key private.key -out certificate.crt -days 1825

   This command generates a self-signed certificate (certificate.crt) that is valid for 5 years. You will be prompted to enter details like country, state, and organization when generating the certificate.
   
   
   
   
3. Once you have both the private key (private.key) and certificate (certificate.crt), please create the .p12 file using the following command line and name your key alias.
   

   openssl  pkcs12 -export -out keystore.p12 -inkey private.key -in certificate.crt  -name "abe"

   And check the  created  .p12 file information with below command:
   

   openssl pkcs12 -info -in keystore.p12 or keytool -v -list -keystore keystore.p12

   
   
   
   
   
4. Generate a public key with the following command line:
   

   openssl x509 -pubkey -noout -in certificate.crt > public.key

   
   
   

Configuring Snowflake : 

The USERADMIN role is required to perform the Snowflake configuration. Open your Snowflake environment and ensure you have a worksheet or query editor ready to execute the following SQL statements. .

1. For this step, you will create the necessary Snowflake components—database, warehouse, user, and role for testing purposes. If you already have an existing setup or example, feel free to re-use it

   -- Drop existing objects if they exist
   DROP DATABASE IF EXISTS ABE_TALEND_DB;           -- Drop the test database
   DROP WAREHOUSE IF EXISTS ABE_TALEND_WH;          -- Drop the test warehouse
   DROP ROLE IF EXISTS ABE_TALEND_ROLE;             -- Drop the test role
   DROP USER IF EXISTS ABE_TALEND_USER;             -- Drop the test user
   
   -- Create necessary objects
   CREATE WAREHOUSE ABE_TALEND_WH;                  -- Create the warehouse
   CREATE DATABASE ABE_TALEND_DB;                   -- Create the test database
   CREATE SCHEMA ABE_TALEND_DB.ABE;                 -- Create the schema "ABE" in the test database
   
   -- Create the test user
   CREATE OR REPLACE USER ABE_TALEND_USER
       PASSWORD = 'pwd!'                            -- Replace with a secure password
       LOGIN_NAME = 'ABE_TALEND_USER'
       FIRST_NAME = 't'
       LAST_NAME = 'tt'
       EMAIL = 't.tt@qlik.com'                      -- Replace with a valid email
       MUST_CHANGE_PASSWORD = FALSE
       DEFAULT_WAREHOUSE = ABE_TALEND_WH;
   
   -- Grant necessary permissions
   GRANT USAGE ON WAREHOUSE ABE_TALEND_WH TO ROLE SYSADMIN;   -- Grant warehouse access to SYSADMIN
   
   CREATE ROLE IF NOT EXISTS ABE_TALEND_ROLE;                  -- Create the custom role
   GRANT ROLE ABE_TALEND_ROLE TO USER ABE_TALEND_USER;         -- Assign the role to the user
   
   GRANT ALL PRIVILEGES ON DATABASE ABE_TALEND_DB TO ROLE ABE_TALEND_ROLE;                -- Full access to the database
   GRANT ALL PRIVILEGES ON ALL SCHEMAS IN DATABASE ABE_TALEND_DB TO ROLE ABE_TALEND_ROLE; -- Full access to all schemas
   GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA ABE_TALEND_DB.ABE TO ROLE ABE_TALEND_ROLE;-- Full access to all tables in schema
   GRANT USAGE ON WAREHOUSE ABE_TALEND_WH TO ROLE ABE_TALEND_ROLE;                        -- Grant warehouse usage to custom role
   
   -- Verify user creation
   SHOW USERS;
   
   -- Create a test table and validate setup
   CREATE TABLE ABE_TALEND_DB.ABE.ABETABLE (
       NAME VARCHAR(100)
   );
   
   -- Test data retrieval
   SELECT * FROM ABE_TALEND_DB.ABE.ABETABLE;
   

2. For this step, please assign the public key to the Snowflake test user created earlier. To do this, you'll need do the following:
   • Locate public.key and open it in an editor (such as Notepad++)
   • Copy the public key displayed between BEGIN PUBLIC KEY and END PUBLIC KEY
     
     
     
     
   • In the Snowflake environment, open a worksheet or query editor to run the following SQL statements. You will add the previously generated public key to our user and be sure to replace it with your own key. 

     DESCRIBE USER

     And to verify that the key was successfully added. 

     ALTER USER ABE_TALEND_USER SET RSA_PUBLIC_KEY=public key ';
     DESCRIBE USER ABE_TALEND_USER;

     

3. Now we’ll verify that the configuration is correct. In your Snowflake environment, open a worksheet or query editor, run the following SQL statements, and copy the results (an sha256 hash of our public key ) into a Notepad or any text editor for reference. 
   
   

   DESC USER ABE_TALEND_USER;
   SELECT SUBSTR((SELECT "value" FROM TABLE(RESULT_SCAN(LAST_QUERY_ID()))  WHERE "property" = 'RSA_PUBLIC_KEY_FP'), LEN('SHA256:') + 1);

   
   

   Using OpenSSL, we will calculate the SHA-256 hash of the public key and compare it with the one previously generated by Snowflake to ensure they are matched.
   To do that use the following OpenSSL command:

   openssl rsa -pubin -in public.key -outform DER | openssl dgst -sha256 -binary | openssl enc -base64

   
   
   
   If the hash matches, proceed to Talend Studio configuration.

Configuring Talend Studio at Job Level : 

1. Launch your Talend Studio and drag both tSetKeyStore and tDBConnection(Snowflake) components from Palette to Designer Tab

   
   

2. In the Basic settings of tSetKeyStore component, enter the path to the  keystore .p12 file in double quotation marks in the KeyStore file field :

   
   
   

   
3. Use the Key Alias set in the keystore. p12 file before for Snowflake DB Connection ("abe", for this example) : 
   
   
   
   

    

4. Please test the connection to see if the key-pair authentication you set up works
   
   
   
   

Related Content

Talend-Job-using-key-pair-authentication-for-Snowflake-fails

Environment

Talend Studio 8.0.1

For both existing and new Qlik Alerting deployments customers will see a variety of errors when connecting to Qlik Sense.

In the developer tools and when testing the connection the following response error can be seen:

Unexpected server response: 403

Resolution

Follow these steps to resolve the issue: 

1. Install Qlik Alerting November 2024 SR1 (or later releases)
2. Go to C:\Program Files\Qlik Alerting\config
3. Open default.json
4. Change "webSocketEnabled" to true
   
   
   
   
5. Restart Qlik Alerting services

Cause

In Qlik Sense November 2024 CSRF protection was extended to Websocket requests and added support for CSRF to add-on products. This includes Qlik Alerting for Windows.

• Upgrade advisory for Qlik Sense on-premise November 2024: Required add-on upgrades
• Qlik Sense Enterprise on Windows release notes - November 2024

Internal Investigation ID(s):

QCB-30970

Environment

• Qlik Alerting
• Qlik Enterprise on Windows November 2024 and later

A scheduled Qlik Replicate task does not show up in the Executed Jobs list.

This is working as intended. The Executed Jobs tab will only show executed jobs that were scheduled to run once only. In other words, jobs scheduled to run periodically (e.g. Daily, Weekly, Monthly) will not be shown.

See Scheduling jobs.

Environment

Qlik Replicate 

You can set a table's background to black using the Black() function or RGB(0,0,0). It will display correctly in the table, but will not be exported as expected. The export reverts to the default color.

Black background not exported:

Resolution

This is a known defect. QCB-31540 is expected to be fixed in the next major QlikView 2025 release (Release of QlikView 12.100 IR moved to Fall 2025).

Information provided on this defect is given as is at the time of documenting. For up-to-date information, please review the most recent Release Notes or contact support with the ID QCB-31540 for reference.

Internal Investigation ID(s)

Product Defect ID: QCB-31540

Environment

• QlikView 12.80 and QlikView 12.90

The value of a reference line for a scatter plot chart may be beyond the displayed range and out of view. In this case, hovering over the icon indicating the reference line will not show its label tooltip.

The issue persists even if Show Label is checked.

Waterfall charts are also affected. 

No tooltip in scatter plot

tooltip works in other charts

Resolution

This behavior is being investigated as a defect (SUPPORT-3799). The expected fix release is the Qlik Sense Enterprise on Windows November 2025 release.

Information provided on this defect is given as is at the time of documenting. For up-to-date information, please review the most recent Release Notes or contact support with the ID SUPPORT-3799 for reference.

Fix Version:

Qlik Sense Enterprise on Windows November 2025

Cause

Product Defect ID: SUPPORT-3799

Environment

• Qlik Sense Enterprise on Windows May 2024 to May 2025 
• Qlik Sense Desktop May 2024 to May 2025 
• Scatterplot charts and Waterfall charts

You might be experiencing an issue in data formatting where input source values with leading zeros are not being reflected in the destination.

For example, a value like "00000001“  in the source may appear as ”1“ in the target

From above example, the leading zeros are not retained in the target column( unique ID in this case) when transferring data from a BigDecimal source type to a String type

Resolution

Use the following expression in the tMap Component of Talend Studio while mapping from source to destination

"String.format("%08d", row1.InputColumn.toBigInteger())"

Cause

A BigDecimal's standard canonical string representation does not include leading zeros.
Therefore, if you need to preserve leading zeros, you must explicitly format the value accordingly.

Related Content 

For more information about BigDecimal math, please refer to Oracle Official Document as below

https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/math/BigDecimal.html

Environment

Talend Studio 

Talend Data Integration 

The Qlik Sense Mobile app displays empty streams.

Empty streams are typically not displayed when viewing the Qlik Sense hub from a browser. The Qlik Sense Mobile app will list them, regardless of content.

Example

These streams created in the Qlik Sense Management Console do not have content (apps):

The Qlik Sense Mobile app displays the empty streams:

Resolution

This behaviour is being reviewed by Qlik. See the Release Notes or contact support for details on QCB-26110.

Cause

Product Defect ID: QCB-26110

Environment

• Qlik Sense Enterprise on Windows
• Qlik Sense Mobile on-premise

After modifying the .item file to change the context values within an exported Job, the Job can no longer be imported into Talend Studio, rendering the item file invalid.

Cause

There is a signature in the .item file , if it is modified, the file will no longer be valid.

Resolution

Manual modification of the .item file is not feasible.

Environment

• Talend Studio 8.0.1

Qlik Cloud Analytics customers can now easily include highly formatted tabular or PixelPerfect reports in their automations with two new blocks:

Get PixelPerfect Report

Get Tabular Report

Report developers can create highly formatted report templates to achieve stakeholder analytics presentation requirements. Using these new blocks, automation developers can then easily configure report production from a target Qlik Sense app, using selection states to produce a report output that can be used in the business process definition.

Need to know

Passing selections for the report

• To control the data reduction, bookmark Id’s can be referenced in the block definition. The common practice would be to create a temp bookmark using the Select Field Value and Create Bookmark blocks.
• Be sure to specify in the report block the same type of bookmark as specified in the Create Bookmark block.

Move report with Create Binary File Block

• The recommended practice would be to use the Create Binary File block using the output of the report block.

Copy report with Copy To block

• A Copy To block can also be used, but note that the file name returned from the reporting services will always be a GUID with a “:” in the file name. The file should be renamed as part of the move to the target channel.

Environment

• Qlik Automate

This article explains how the session API works and the workflow.
Postman is used to perform the API call to add the session in Qlik Sense.
In the browser, developer tools or an extension can be used to set the cookie.

Authentication workflow

1. User authenticate to an external session module (This module must be built by the customer)
2. The module adds the session to the Proxy using the session API
3. The module sets the cookie for the end user
4. The end user is recognized as authenticated and can access the hub and apps.
 

Virtual Proxy settings:

It does not matter which authentication method is set on the virtual proxy as we are creating directly a session when using this method. However, the following information: Session Cookie header name, Authentication module redirect URI and Session Cookie domain are important to remember when you use the Session API. 


 

Add the session:

You will need to have the QlikClient certificate installed for the user performing this API call. More information is available in following articles:
QRS API using Xrfkey header in Postman
Export client certificate and root certificate to make API calls with Postman

In order to add a session to the virtual proxy, you need to provide the following information:
UserDirectory
UserId
Attributes (optional, these are for example groups to which the user belongs to)
Cookie value (In Qlik Sense by default, a 36 characters string such as aa051074-13a1-4f2a-842b-a64aa4d21001 is used, however this can be any value, but it must be long enough and randomized to ensure there is not 2 session cookies with the same value that are added to the virtual proxy)

Example of API call:
https://qlikserver1.domain.local:4243/qps/{virtual proxy prefix}/session?xrfkey=0123456789abcdef

Headers:

Body:
{
  "UserDirectory": "DOMAIN",
  "UserId": "User1",
  "Attributes":
    [],
  "SessionId": "aa051074-13a1-4f2a-842b-a64aa4d21001"
}

Postman:



PowerShell:

$body = '{
  "UserDirectory": "DOMAIN",
  "UserId": "User1",
  "Attributes":
    [],
  "SessionId": "aa051074-13a1-4f2a-842b-a64aa4d21001"
}'
   $hdrs = @{}
   $hdrs.Add("X-Qlik-xrfkey","iX83QmNlvu87yyAB")
   $url = "https://qlikserver1.domain.local:4243/qps/session?xrfkey=iX83QmNlvu87yyAB"
   $cert = Get-ChildItem -Path "Cert:\CurrentUser\My" | Where {$_.Subject -like '*QlikClient*'}
   Invoke-RestMethod -Uri $url -Method Post -Body $body -ContentType 'application/json' -Headers $hdrs -Certificate $cert

Set the cookie:

In Chrome, an extension such as "EditThisCookie" can be used to test that the session API works.

Open the hub and add a cookie with the following information:

Name: X-Qlik-Session-sessionvp
Value: aa051074-13a1-4f2a-842b-a64aa4d21001
Domain: domain.local
Expiration: 0001-01-01 00:00:00
HttpOnly:True
Secure:True




Save the cookie and refresh the page, make sure the address is https://qlikserver1.domain.local/{virtual proxy prefix}/hub/ when you refresh.

Now you should be logged in as the user requested in the previous API call and able to access the hub/your apps.

This article explains how to view your own and your colleague's cases in the Support Case Portal.

Steps:

1. Login to the Qlik Community
2. Click on Support in the top navigational ribbon
3. Click Manage Cases (or use the direct link: Case Portal)
   
   
   
   
4. From here, use the ribbon menu to select Cases or scroll down and click the Cases tile
   
   
   
   
5. You will be shown a list of all your cases and can now:
   
   
    
   
   1. Select fields: Helps you configure what fields you want to see in your list)
   2. Manage filters: What cases do you want to see?
       
      • Filter by Creator: Only your cases or your entire account's cases
      • Filter on Selected Fields: Allows you to drill down to specific fields
        
        Example to list only Closed cases restricted to My Cases:
        
        
        
        Tip: Don't forget to click + ADD FILTER once you have created it.
        
        
   3. Create a Case: Create a new case
      
      

Don't have access to your collogues cases? See How To View Other User Cases Within Your Organization.

Related Content:

How to create a case and contact Qlik Support 
How To View Other User Cases Within Your Organization

Content

• Introduction
• Identity Federation
• Case Study - KeyCloak Federating with Auth0
• User Experience and Security
• Final Thoughts

Introduction

Qlik Cloud is designed to support a single interactive Identity Provider (IdP) per tenant.

As my friend @DaveChannon explains in Why Qlik doesn't support multiple interactive identity providers on a Qlik Cloud tenant, only one interactive identity provider can be enabled at any one time for Qlik Cloud (Which includes Qlik Cloud Analytics and Qlik Talend Cloud Data Integration).  Without restating the points Dave made, the short answer is we do not plan to change this as we don't consider this good practice.

So, if your organisation needs to support multiple IDPs, what can you do?  There are many use-cases that require this, such as:

• Providing access to external parties without adding them to your Organisation's IDP.
• OEM use-cases with customers who have their own IDPs
• Company mergers (This is one we've used ourselves a few times)

These are just a few examples but this is a very common use case for most large organisations.  So what do you have to do?  Well, you could solve this with multiple tenants, but that's often a high-maintenance solution and isn't ideal.  That's why, as Dave mentioned, we recommend that customers use Identity federation to address this. 

Identity Federation

Identity federation is a mechanism that links a user's identity across multiple identity management systems, allowing them to access different applications and resources without needing separate logins or credentials.  Almost all major providers support this.  For example, these IDPs all support federation:

Case Study - KeyCloak Federating with Auth0

So, how complex is this and how does it look to my users and Qlik Cloud tenant?

 

I set up a simple example of this using KeyCloak and Auth0. The way this works is:

1. The user tries to connect to their Qlik Cloud tenant
2. Qlik sends the user to KeyCloak for authentication
3. KeyCloak provides the user the option to either log in directly with KeyCloak or be directed to Auth0 to log in.
4. After logging in, KeyCloak received user metadata, such as e-mail, groups, etc.
5. KeyCloak then provides this to Qlik Cloud
6. The user gains access to Qlik Cloud.

 

 

While this is not a 'how-to' article, at a high level, what I've set up is:

1. KeyCloak is the IDP for my Qlik Cloud tenant:
   
   
   
   
2. In Keycloak I have my Groups and users set up as group members:
   
   
   
   
   
   
   
   
   
3. And I have also set up Auth0 as an Identity provider for KeyCloak:
   
   
   
   
4. And hard-coded the 'External' group to any users coming from Auth0:
   
   
   

 

This may not always be what you want to do.  You may wish to use the groups coming from Auth0 also, and that is possible, but not needed for my use case.

Finally, here are my users set up in Auth0:

 

User Experience and Security

So what happens when I log in?

First, let's look at jane@qmi.com.  Jane is set up in KeyCloak. After opening the URL for our Qlik Cloud tenant, I am redirected to the keycloak login screen:

 

 

I can log in directly here or choose to sign in with Auth0.  Jane logs into KeyCloak directly and is then sent back to the Qlik Tenant:

 

 

To understand what information Qlik Clouid has been provided, we can append "/api/v1/diagnose-claims" to the end of our tenant URL. This will show us the metadata Qlik has received about Jane, such as: 

 

 

We are most concerned about Jane's groups, as that is how we will control access. Jane is in the Finance and Human Resources groups. 

In our tenant, we have the following spaces and access rules:

Space Name	Space Type	Groups with Access
External	Managed	External:  Read Only
External_development	Shared	Finance: full access Sales: full access Human Resources: full access
Finance	Shared	Finance: Read Only
Sales	Shared	Sales: Read Only
Human Resources	Shared	Human Resources: Read Only

 

So Jane sees the Finance, Human Resources, and External_development spaces:

 

 

 

What happens when a user logs in through Auth0? This time joe.public@company1.com will log in via Auth0:

 

 

As this user has never logged in before, KeyCloak asks for some details:

 

 

After logging in, we can look at the "/api/v1/diagnose-claims" endpoint to see the user's metadata.  We see the External group, which we hard-coded for Auth0 users in KeyCloak:

 

And when looking at the user's space access, we can only see the External space as expected:

 

Final Thoughts

This is a simple example I put together in a couple of hours. I selected KeyCloak and Auth0 simply because I have some experience with them - most IDPs could do this (and also, I could have chosen to reverse the order and have Auth0 as the primary IDP).

Neither Qlik nor I make any specific recommendations as to what identity providers customers should use.

While we haven't looked at it here, it's also possible to use social services (such as LinkedIn, GitHub, Facebook, etc.) as external Identity providers, which may well be a better solution for some use-cases. And you can support many of these at the same time as your needs require.  

If you require assistance in this, your friendly neighbourhood Qlik Services team can assist, as can our partners.