Are you a member of the Splunk Community?
- Find Answers
- :
- Premium Solutions
- :
- Splunk ITSI
- :
- ITSI configuration file - Management - itsi_team.c...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITSI configuration file - Management - itsi_team.conf
I am trying to administer ITSI using configuration files instead of creating and managing the configs on the UI.
To start off I try to configure a new team in the itsi_team.conf file under SA-ITOA app.
I created a copy of the itsi_team.conf under the local folder in the above app and updated the contents of the file with the below stanza.
[sample_itsi_security_group]
title = sample
description = Team for sample users
_immutable = 1
acl = {"owner":"nobody","read":["sample_viewonly"],"write":["itoa_admin"],"delete":["itoa_admin"]}
After this I restarted splunk. During the restart I get the below errors for every line in the above stanza:
Invalid key in stanza [sample_itsi_security_group] in /opt/splunk/etc/apps/SA-ITOA/local/itsi_team.conf, line 2: title (value: sample).
Invalid key in stanza [sample_itsi_security_group] in /opt/splunk/etc/apps/SA-ITOA/local/itsi_team.conf, line 3: description (value: Team for sample users).
Invalid key in stanza [sample_itsi_security_group] in /opt/splunk/etc/apps/SA-ITOA/local/itsi_team.conf, line 4: _immutable (value: 1).
Invalid key in stanza [sample_itsi_security_group] in /opt/splunk/etc/apps/SA-ITOA/local/itsi_team.conf, line 5: acl (value: {"owner":"nobody","read":["sample_viewonly"],"write":["itoa_admin"],"delete":["itoa_admin"]}).
Why am I getting these errors although I have followed the spec file to configure this?
Also I can see the team is created and the correct roles given the read and write access as per my config when I check on the UI, inspite of these errors thrown while restarting splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @rijutha,
Your stanza name is incorrect, it should be default_itsi_security_group as per the documentation.
If you want to give a name you can give in property title.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But what if I want to create different teams? Multiple stanzas with the same name?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also that did not create the team.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITSI team information is stored in KVstore not in conf file. And as per the documentation itsi_team.conf is just to upload team information to KVstore, so once team is added to KVstore it is not used anymore.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes and my intention is also to upload the team confirguration to the KV Store which also means - to get the team created with the right acl values and have it listed under "Teams" in the ITSI UI.
But it does not happen when I have the stanza named as "default_itsi_security_group".
But it does get created when I have a different stanza name in this case - sample_itsi_security_group.
But i get the invalid key errors when I do this.
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
