Splunk IT Service Intelligence

After ITSI migration to 3.0, the services are empty, ERROR: Parameter "name" must be 100 characters or less

yannK
Splunk Employee
Splunk Employee

I did an upgrade of my ITSI to 3.0, and in the process I saw some errors in the itsi_migration.log

2017-10-23 09:53:36,941 INFO [itsi.migration] [base_migration_interface] [_get_object_file_list] [23596] obtain the local storage target file list: ['D:\\Splunk\\var\\itsi\\migration_helper\\kpi_base_search___0.json']
2017-10-23 09:53:41,783 ERROR [itsi.migration] [migration] [migration_bulk_save_to_kvstore] [23596] [HTTP 400] Bad Request; [{'type': 'ERROR', 'text': 'Parameter "name" must be 100 characters or less.', 'code': None}]

Now the service panel does not load, and I had to rollback to ITSI 2.6.*

0 Karma
1 Solution

yannK
Splunk Employee
Splunk Employee

We found that the long object was a Service KPI search, relying on a base search from the module DA-ITSI-ITSI-Health-Check-Module

search :
[DA-ITSI-ITSI-Health-Check-Module-DA-ITSI-ITSI-Health-Check-Module_ITSI-Health_Splunk.Searches]

Saved Search Name that was too long : (128 chars > 100 char limit)
Indicator - Shared - DA-ITSI-ITSI-Health-Check-Module-DA-ITSI-ITSI-Health-Check-Module_ITSI-Health_Splunk.Searches - ITSI Search

The problem was that the objects in the kvstore was a combination of the service, indicator and base search name, and went over the limit.

Solution :
- once rolled back to 2.6.*
- go to configuration > services , and find the service calling that base search, and delete it
- stop splunk
- redo the upgrade to 3.0
- check the services after

PS : As the app/module DA-ITSI-ITSI-Health-Check-Module has been deprecated, it's better to remove the module anyway.

View solution in original post

0 Karma

yannK
Splunk Employee
Splunk Employee

We found that the long object was a Service KPI search, relying on a base search from the module DA-ITSI-ITSI-Health-Check-Module

search :
[DA-ITSI-ITSI-Health-Check-Module-DA-ITSI-ITSI-Health-Check-Module_ITSI-Health_Splunk.Searches]

Saved Search Name that was too long : (128 chars > 100 char limit)
Indicator - Shared - DA-ITSI-ITSI-Health-Check-Module-DA-ITSI-ITSI-Health-Check-Module_ITSI-Health_Splunk.Searches - ITSI Search

The problem was that the objects in the kvstore was a combination of the service, indicator and base search name, and went over the limit.

Solution :
- once rolled back to 2.6.*
- go to configuration > services , and find the service calling that base search, and delete it
- stop splunk
- redo the upgrade to 3.0
- check the services after

PS : As the app/module DA-ITSI-ITSI-Health-Check-Module has been deprecated, it's better to remove the module anyway.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...