Splunk IT Service Intelligence

After ITSI migration to 3.0, the services are empty, ERROR: Parameter "name" must be 100 characters or less

yannK
Splunk Employee
Splunk Employee

I did an upgrade of my ITSI to 3.0, and in the process I saw some errors in the itsi_migration.log

2017-10-23 09:53:36,941 INFO [itsi.migration] [base_migration_interface] [_get_object_file_list] [23596] obtain the local storage target file list: ['D:\\Splunk\\var\\itsi\\migration_helper\\kpi_base_search___0.json']
2017-10-23 09:53:41,783 ERROR [itsi.migration] [migration] [migration_bulk_save_to_kvstore] [23596] [HTTP 400] Bad Request; [{'type': 'ERROR', 'text': 'Parameter "name" must be 100 characters or less.', 'code': None}]

Now the service panel does not load, and I had to rollback to ITSI 2.6.*

0 Karma
1 Solution

yannK
Splunk Employee
Splunk Employee

We found that the long object was a Service KPI search, relying on a base search from the module DA-ITSI-ITSI-Health-Check-Module

search :
[DA-ITSI-ITSI-Health-Check-Module-DA-ITSI-ITSI-Health-Check-Module_ITSI-Health_Splunk.Searches]

Saved Search Name that was too long : (128 chars > 100 char limit)
Indicator - Shared - DA-ITSI-ITSI-Health-Check-Module-DA-ITSI-ITSI-Health-Check-Module_ITSI-Health_Splunk.Searches - ITSI Search

The problem was that the objects in the kvstore was a combination of the service, indicator and base search name, and went over the limit.

Solution :
- once rolled back to 2.6.*
- go to configuration > services , and find the service calling that base search, and delete it
- stop splunk
- redo the upgrade to 3.0
- check the services after

PS : As the app/module DA-ITSI-ITSI-Health-Check-Module has been deprecated, it's better to remove the module anyway.

View solution in original post

0 Karma

yannK
Splunk Employee
Splunk Employee

We found that the long object was a Service KPI search, relying on a base search from the module DA-ITSI-ITSI-Health-Check-Module

search :
[DA-ITSI-ITSI-Health-Check-Module-DA-ITSI-ITSI-Health-Check-Module_ITSI-Health_Splunk.Searches]

Saved Search Name that was too long : (128 chars > 100 char limit)
Indicator - Shared - DA-ITSI-ITSI-Health-Check-Module-DA-ITSI-ITSI-Health-Check-Module_ITSI-Health_Splunk.Searches - ITSI Search

The problem was that the objects in the kvstore was a combination of the service, indicator and base search name, and went over the limit.

Solution :
- once rolled back to 2.6.*
- go to configuration > services , and find the service calling that base search, and delete it
- stop splunk
- redo the upgrade to 3.0
- check the services after

PS : As the app/module DA-ITSI-ITSI-Health-Check-Module has been deprecated, it's better to remove the module anyway.

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...