topic SentinelOne App Errors in All Apps and Add-ons

SentinelOne App Errors

dompico — Wed, 04 Jun 2025 16:30:51 GMT

Hello,

I'm trying to get SentinelOne data into my cloud instance but I'm getting errors similar to this related to the inputs. At first I was having an issue with authentication errors using the API. I believe that's resolved after regenerating the key, because these are the only logs I can see in the index I created for S1.

error_message="[HTTP 404] https://127.0.0.1:8089/servicesNS/nobody/sentinelone_app_for_splunk/configs/conf-authhosts/********?output_mode=json" error_type="<class 'splunk.ResourceNotFound'>" error_arguments="[HTTP 404] https://127.0.0.1:8089/servicesNS/nobody/sentinelone_app_for_splunk/configs/conf-authhosts/***********?output_mode=json" error_filename="s1_client.py" error_line_number="162" input_guid="*****************" input_name="Threats"

Re: SentinelOne App Errors

livehybrid — Wed, 04 Jun 2025 06:37:10 GMT

Hi @dompico

I assume that this is installed on a heavy forwarder within your environment? Please can you confirm how you've installed the app? It looks like the app is looking for authhosts.conf which it cannot find.

The app doesnt ship with this file, so I presume its generated as part of the modular input when it runs.

Are there any other errors before this error relating to the retrieval of content from S1 that might be used to populate this conf file?

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: SentinelOne App Errors

aplura_llc_supp — Wed, 04 Jun 2025 14:03:56 GMT

Good Salutations!

That error is indicating that credentials cannot be found. It can typically happen when there are multiple SentinelOne Apps installed on the same instance (App, IA, TA).

If there is more than one installed, remove the ones not for that tier (App => SearchHeads, IA=> HF/IDM, TA=>IDX). These should be fully removed, "rm rf" if you will, not just disabled. Removed.

Once removed, re-configure the app and try again.

Thanks!

Re: SentinelOne App Errors

dompico — Wed, 04 Jun 2025 15:49:53 GMT

Hello,

I only have this one app from S1 installed on the indexer/searchhead which is in Splunk cloud.

Re: SentinelOne App Errors

dompico — Wed, 04 Jun 2025 15:58:42 GMT

Hello,

This is installed directly on the splunk cloud instance. I just started using splunk about a week ago. To my knowledge, I don't have cli access to modify any files. I also don't see why I would need to, as there is no mention of a need to in the instructions. They seem to have built everything you would need into the app configuration pages such as fields to input api key and whatnot.

I also found the thread you mentioned, but it seems no one was able to come up with a solution then either.