Splunk ITSI
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

After ITSI migration to 3.0, the services are empty, ERROR: Parameter "name" must be 100 characters or less

yannK
Splunk Employee
Splunk Employee
‎10-25-2017 01:47 PM

I did an upgrade of my ITSI to 3.0, and in the process I saw some errors in the itsi_migration.log

2017-10-23 09:53:36,941 INFO [itsi.migration] [base_migration_interface] [_get_object_file_list] [23596] obtain the local storage target file list: ['D:\\Splunk\\var\\itsi\\migration_helper\\kpi_base_search___0.json']
2017-10-23 09:53:41,783 ERROR [itsi.migration] [migration] [migration_bulk_save_to_kvstore] [23596] [HTTP 400] Bad Request; [{'type': 'ERROR', 'text': 'Parameter "name" must be 100 characters or less.', 'code': None}]

Now the service panel does not load, and I had to rollback to ITSI 2.6.*

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎10-25-2017 01:52 PM

We found that the long object was a Service KPI search, relying on a base search from the module DA-ITSI-ITSI-Health-Check-Module

search :
[DA-ITSI-ITSI-Health-Check-Module-DA-ITSI-ITSI-Health-Check-Module_ITSI-Health_Splunk.Searches]

Saved Search Name that was too long : (128 chars > 100 char limit)
Indicator - Shared - DA-ITSI-ITSI-Health-Check-Module-DA-ITSI-ITSI-Health-Check-Module_ITSI-Health_Splunk.Searches - ITSI Search

The problem was that the objects in the kvstore was a combination of the service, indicator and base search name, and went over the limit.

Solution :
- once rolled back to 2.6.*
- go to configuration > services , and find the service calling that base search, and delete it
- stop splunk
- redo the upgrade to 3.0
- check the services after

PS : As the app/module DA-ITSI-ITSI-Health-Check-Module has been deprecated, it's better to remove the module anyway.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎10-25-2017 01:52 PM

We found that the long object was a Service KPI search, relying on a base search from the module DA-ITSI-ITSI-Health-Check-Module

search :
[DA-ITSI-ITSI-Health-Check-Module-DA-ITSI-ITSI-Health-Check-Module_ITSI-Health_Splunk.Searches]

Saved Search Name that was too long : (128 chars > 100 char limit)
Indicator - Shared - DA-ITSI-ITSI-Health-Check-Module-DA-ITSI-ITSI-Health-Check-Module_ITSI-Health_Splunk.Searches - ITSI Search

The problem was that the objects in the kvstore was a combination of the service, indicator and base search name, and went over the limit.

Solution :
- once rolled back to 2.6.*
- go to configuration > services , and find the service calling that base search, and delete it
- stop splunk
- redo the upgrade to 3.0
- check the services after

PS : As the app/module DA-ITSI-ITSI-Health-Check-Module has been deprecated, it's better to remove the module anyway.

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...