I am trying to deploy ITSI and was successful in doing so on a single search head. It got integrated with SAI and worked fine. But as soon as i tried the same on Search head cluster it wont integrate with SAI some how. any ideas, suggestions are welcome. Splunk ver- 7.3.3 ITSI ver 4.4.1
Tried integration twice or thrice now. the setting for Data Input for Splunk App for Infrastructure - Entity Migration is not available Getting this error :Current instance is running in SHC mode and is not able to add new inputs
The SAI-ITSI integration has a wizard that asks once, if you want enable the entity migration.
If the wizard did not run, or was skipped, there is no way to redo it on a SHCluster. Because the setting is ultimately a modular input to enable, but the "Inputs manager" is not accessible in the UI on a SHCluster.
The workaround is to enable the modular input in the inputs.conf directly, from the deployer.
On the deployer shcluster apps folder, find the app splunk_app_infrastructure, create a local folder with an inputs.conf, and add this enabled modular input,
[em_entity_migration://job] disabled = 0
Then push it on all the SHC peers from the deployer.