Splunk ITSI
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

ITSI configuration file - Management - itsi_team.conf

rijutha
Explorer
‎06-13-2019 01:04 AM

I am trying to administer ITSI using configuration files instead of creating and managing the configs on the UI.

To start off I try to configure a new team in the itsi_team.conf file under SA-ITOA app.

I created a copy of the itsi_team.conf under the local folder in the above app and updated the contents of the file with the below stanza.

[sample_itsi_security_group]
title = sample
description = Team for sample users
_immutable = 1
acl = {"owner":"nobody","read":["sample_viewonly"],"write":["itoa_admin"],"delete":["itoa_admin"]}

After this I restarted splunk. During the restart I get the below errors for every line in the above stanza:
Invalid key in stanza [sample_itsi_security_group] in /opt/splunk/etc/apps/SA-ITOA/local/itsi_team.conf, line 2: title (value: sample).
Invalid key in stanza [sample_itsi_security_group] in /opt/splunk/etc/apps/SA-ITOA/local/itsi_team.conf, line 3: description (value: Team for sample users).
Invalid key in stanza [sample_itsi_security_group] in /opt/splunk/etc/apps/SA-ITOA/local/itsi_team.conf, line 4: _immutable (value: 1).
Invalid key in stanza [sample_itsi_security_group] in /opt/splunk/etc/apps/SA-ITOA/local/itsi_team.conf, line 5: acl (value: {"owner":"nobody","read":["sample_viewonly"],"write":["itoa_admin"],"delete":["itoa_admin"]}).

Why am I getting these errors although I have followed the spec file to configure this?
Also I can see the team is created and the correct roles given the read and write access as per my config when I check on the UI, inspite of these errors thrown while restarting splunk.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-13-2019 06:35 AM

Hello @rijutha,

Your stanza name is incorrect, it should be default_itsi_security_group as per the documentation.
If you want to give a name you can give in property title.

0 Karma
Reply

rijutha
Explorer
‎06-13-2019 04:56 PM

But what if I want to create different teams? Multiple stanzas with the same name?

0 Karma
Reply

rijutha
Explorer
‎06-13-2019 05:03 PM

Also that did not create the team.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-13-2019 09:07 PM

ITSI team information is stored in KVstore not in conf file. And as per the documentation itsi_team.conf is just to upload team information to KVstore, so once team is added to KVstore it is not used anymore.

0 Karma
Reply

rijutha
Explorer
‎06-13-2019 10:37 PM

Yes and my intention is also to upload the team confirguration to the KV Store which also means - to get the team created with the right acl values and have it listed under "Teams" in the ITSI UI.

But it does not happen when I have the stanza named as "default_itsi_security_group".

But it does get created when I have a different stanza name in this case - sample_itsi_security_group.

But i get the invalid key errors when I do this.

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...