SAI integration with ITSI on Search head cluster

KSinghK · ‎02-20-2020

HI all,

I am trying to deploy ITSI and was successful in doing so on a single search head. It got integrated with SAI and worked fine. But as soon as i tried the same on Search head cluster it wont integrate with SAI some how.
any ideas, suggestions are welcome.
Splunk ver- 7.3.3
ITSI ver 4.4.1

Tried integration twice or thrice now. the setting for Data Input for Splunk App for Infrastructure - Entity Migration is not available
Getting this error :Current instance is running in SHC mode and is not able to add new inputs

thanks in advance.

regards,
Kulwinder Singh

yannK · ‎06-09-2020

The SAI-ITSI integration has a wizard that asks once, if you want enable the entity migration.

If the wizard did not run, or was skipped, there is no way to redo it on a SHCluster. Because the setting is ultimately a modular input to enable, but the "Inputs manager" is not accessible in the UI on a SHCluster.

The workaround is to enable the modular input in the inputs.conf directly, from the deployer.

On the deployer shcluster apps folder, find the app splunk_app_infrastructure, create a local folder with an inputs.conf, and add this enabled modular input,

[em_entity_migration://job]
disabled = 0

Then push it on all the SHC peers from the deployer.

SAI integration with ITSI on Search head cluster

installation

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector