Splunk ITSI

ITSI Upgrade from 2.6.1 to 3.1.4 causes access issues to services, entities, base searches etc.

splunk4nisha
New Member

When upgrading to itsi 3.1.4 from 2.6.1 (splunk enterpriise version: 7.1.2) is successful, however when trying to access services, entities,bases searches , correlation searches , it shows no results. Although I can see glass tables but empty.

After upgrade already ran below script for global team access and restarted, but issue persisted.
https://answers.splunk.com/answers/672488/why-am-i-getting-errors-after-upgrading-splunk-it.html

some logs from internal index during the issue duration:

  1. Feel this is the cause of the issue but not sure what could have caused this access denied issue, found question related to this error but we didn't saw this error during backup/restore, so that is not the case for us. [link: https://answers.splunk.com/answers/726054/itsi-backup-and-restore-error-itoaaccessdeniederro.html]

ERROR [itoa.object] [itoa_exceptions] [init] [4607] [ITOA Access Denied Error]Access denied. You do not have permission to access this object.

ERROR [itsi.object.utils] [itsi_utils] [import_setting] [12756] Unable to import setting: kpi_threshold_template_8_stdev of type kpi_threshold_template, ignoring
Traceback (most recent call last):
File "/opt/splunk/etc/apps/SA-ITOA/lib/itsi/itsi_utils.py", line 1304, in import_setting
if object_of_type.get(owner, normalized_setting.get('_key', '')) is None:
File "/opt/splunk/etc/apps/SA-ITOA/lib/ITOA/itoa_object.py", line 648, in get
logger)
ItoaAccessDeniedError: Access denied. You do not have permission to access this object.

  1. This error stopped after executing the script for global team

ERROR [itoa.storage.statestore] [statestore] [get] [16992] [get_statestore_team] 404 Not Found on GET to /servicesNS/nobody/SA-ITOA/storage/collections/data/itsi_team/default_itsi_security_group

  1. +0100 ERROR AuthenticationManagerLDAP - user="xxxx" has matching LDAP groups with strategy="AD Active Directory", but none are mapped to Splunk roles

Anyone please help!!!

0 Karma

esnyder_splunk
Splunk Employee
Splunk Employee
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...