Splunk ITSI

SAI integration with ITSI on Search head cluster

KSinghK
Loves-to-Learn Lots

HI all,

I am trying to deploy ITSI and was successful in doing so on a single search head. It got integrated with SAI and worked fine. But as soon as i tried the same on Search head cluster it wont integrate with SAI some how.
any ideas, suggestions are welcome.
Splunk ver- 7.3.3
ITSI ver 4.4.1

Tried integration twice or thrice now. the setting for Data Input for Splunk App for Infrastructure - Entity Migration is not available
Getting this error :Current instance is running in SHC mode and is not able to add new inputs

thanks in advance.

regards,
Kulwinder Singh

Labels (1)
Tags (2)
0 Karma

yannK
Splunk Employee
Splunk Employee

The SAI-ITSI integration has a wizard that asks once, if you want enable the entity migration.

If the wizard did not run, or was skipped, there is no way to redo it on a SHCluster. Because the setting is ultimately a modular input to enable, but the "Inputs manager" is not accessible in the UI on a SHCluster.

The workaround is to enable the modular input in the inputs.conf directly, from the deployer.

On the deployer shcluster apps folder, find the app splunk_app_infrastructure,  create a local folder with an inputs.conf, and add this enabled modular input,

[em_entity_migration://job]
disabled = 0

Then push it on all the SHC peers from the deployer. 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...