Splunk ITSI
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

After ITSI migration to 3.0, the services are empty, ERROR: Parameter "name" must be 100 characters or less

yannK
Splunk Employee
Splunk Employee
‎10-25-2017 01:47 PM

I did an upgrade of my ITSI to 3.0, and in the process I saw some errors in the itsi_migration.log

2017-10-23 09:53:36,941 INFO [itsi.migration] [base_migration_interface] [_get_object_file_list] [23596] obtain the local storage target file list: ['D:\\Splunk\\var\\itsi\\migration_helper\\kpi_base_search___0.json']
2017-10-23 09:53:41,783 ERROR [itsi.migration] [migration] [migration_bulk_save_to_kvstore] [23596] [HTTP 400] Bad Request; [{'type': 'ERROR', 'text': 'Parameter "name" must be 100 characters or less.', 'code': None}]

Now the service panel does not load, and I had to rollback to ITSI 2.6.*

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎10-25-2017 01:52 PM

We found that the long object was a Service KPI search, relying on a base search from the module DA-ITSI-ITSI-Health-Check-Module

search :
[DA-ITSI-ITSI-Health-Check-Module-DA-ITSI-ITSI-Health-Check-Module_ITSI-Health_Splunk.Searches]

Saved Search Name that was too long : (128 chars > 100 char limit)
Indicator - Shared - DA-ITSI-ITSI-Health-Check-Module-DA-ITSI-ITSI-Health-Check-Module_ITSI-Health_Splunk.Searches - ITSI Search

The problem was that the objects in the kvstore was a combination of the service, indicator and base search name, and went over the limit.

Solution :
- once rolled back to 2.6.*
- go to configuration > services , and find the service calling that base search, and delete it
- stop splunk
- redo the upgrade to 3.0
- check the services after

PS : As the app/module DA-ITSI-ITSI-Health-Check-Module has been deprecated, it's better to remove the module anyway.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎10-25-2017 01:52 PM

We found that the long object was a Service KPI search, relying on a base search from the module DA-ITSI-ITSI-Health-Check-Module

search :
[DA-ITSI-ITSI-Health-Check-Module-DA-ITSI-ITSI-Health-Check-Module_ITSI-Health_Splunk.Searches]

Saved Search Name that was too long : (128 chars > 100 char limit)
Indicator - Shared - DA-ITSI-ITSI-Health-Check-Module-DA-ITSI-ITSI-Health-Check-Module_ITSI-Health_Splunk.Searches - ITSI Search

The problem was that the objects in the kvstore was a combination of the service, indicator and base search name, and went over the limit.

Solution :
- once rolled back to 2.6.*
- go to configuration > services , and find the service calling that base search, and delete it
- stop splunk
- redo the upgrade to 3.0
- check the services after

PS : As the app/module DA-ITSI-ITSI-Health-Check-Module has been deprecated, it's better to remove the module anyway.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...