<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: SentinelOne Applications Channel No Longer Populating Events in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/SentinelOne-Applications-Channel-No-Longer-Populating-Events/m-p/704962#M116602</link>
    <description>&lt;P&gt;We started seeing this recently as well.&amp;nbsp; Also the various S1 Splunk integrations do not understand or permit having the IA and App on the same instance so Victoria experience doesn't work properly.&amp;nbsp; This is also the case for the various scalyr dataset add ons, cannot create inputs because it complains about being on a search head.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
    <pubDate>Thu, 21 Nov 2024 16:07:25 GMT</pubDate>
    <dc:creator>mstanton</dc:creator>
    <dc:date>2024-11-21T16:07:25Z</dc:date>
    <item>
      <title>SentinelOne Applications Channel No Longer Populating Events</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/SentinelOne-Applications-Channel-No-Longer-Populating-Events/m-p/678396#M113364</link>
      <description>&lt;P&gt;We've been collecting data with the inputs add-on (&lt;LI-PRODUCT title="Input Add On for SentinelOne App For Splunk" id="5436"&gt;&lt;/LI-PRODUCT&gt;) for several years now.&amp;nbsp; The applications channel has always been a bit problematic with the collection process running for several days but now we haven't seen any data since Monday February 19th around 5:00 PM. It's February 22nd and we generally see applications data every day.&lt;/P&gt;&lt;P&gt;We started seeing errors on February 16th&lt;/P&gt;&lt;TABLE border="1" width="100%"&gt;&lt;TBODY&gt;&lt;TR&gt;&lt;TD width="100%"&gt;&lt;P&gt;error_message="cannot unpack non-iterable NoneType object" error_type="&amp;amp;lt;class 'TypeError'&amp;amp;gt;" error_arguments="cannot unpack non-iterable NoneType object" error_filename="s1_client.py" error_line_number="500" input_guid="8bb303-be5-6fe3-1b6-63a0c52b60c" input_name="Applications"&lt;/P&gt;&lt;P&gt;error_message="[{'code': 5000010, 'detail': 'Server could not process the request.', 'title': 'Internal server error'}]" error_type="&amp;amp;lt;class 'management.mgmtsdk_v2.exceptions.InternalServerErrorException'&amp;amp;gt;" error_arguments="[{'code': 5000010, 'detail': 'Server could not process the request.', 'title': 'Internal server error'}]" error_filename="s1_client.py" error_line_number="223" input_guid="8bb303-be5-6fe3-1b6-63a0c52b60c" input_name="Applications"&lt;/P&gt;&lt;/TD&gt;&lt;/TR&gt;&lt;/TBODY&gt;&lt;/TABLE&gt;&lt;P&gt;And have seen a few errors since then&lt;/P&gt;&lt;TABLE border="1" width="100%"&gt;&lt;TBODY&gt;&lt;TR&gt;&lt;TD width="100%"&gt;&lt;P&gt;error_message="cannot unpack non-iterable NoneType object" error_type="&amp;amp;lt;class 'TypeError'&amp;amp;gt;" error_arguments="cannot unpack non-iterable NoneType object" error_filename="s1_client.py" error_line_number="500" input_guid="8bb303-be5-6fe3-1b6-63a0c52b60c" input_name="Applications"&lt;/P&gt;&lt;P&gt;error_message="[{'code': 5000010, 'detail': 'Server could not process the request.', 'title': 'Internal server error'}]" error_type="&amp;amp;lt;class 'management.mgmtsdk_v2.exceptions.InternalServerErrorException'&amp;amp;gt;" error_arguments="[{'code': 5000010, 'detail': 'Server could not process the request.', 'title': 'Internal server error'}]" error_filename="s1_client.py" error_line_number="188" input_guid="8bb303-be5-6fe3-1b6-63a0c52b60c" input_name="Applications"&lt;/P&gt;&lt;P&gt;error_message="cannot unpack non-iterable NoneType object" error_type="&amp;amp;lt;class 'TypeError'&amp;amp;gt;" error_arguments="cannot unpack non-iterable NoneType object" error_filename="s1_client.py" error_line_number="500" input_guid="8bb303-be5-6fe3-1b6-63a0c52b60c" input_name="Applications"&lt;/P&gt;&lt;P&gt;error_message="[{'code': 5000010, 'detail': 'Server could not process the request.', 'title': 'Internal server error'}]" error_type="&amp;amp;lt;class 'management.mgmtsdk_v2.exceptions.InternalServerErrorException'&amp;amp;gt;" error_arguments="[{'code': 5000010, 'detail': 'Server could not process the request.', 'title': 'Internal server error'}]" error_filename="s1_client.py" error_line_number="188" input_guid="8bb303-be5-6fe3-1b6-63a0c52b60c" input_name="Applications"&lt;/P&gt;&lt;/TD&gt;&lt;/TR&gt;&lt;/TBODY&gt;&lt;/TABLE&gt;&lt;P&gt;After noting the following in the release notes&lt;/P&gt;&lt;TABLE border="1" width="100%"&gt;&lt;TBODY&gt;&lt;TR&gt;&lt;TD width="100%"&gt;&lt;SPAN&gt;Improvements&lt;/SPAN&gt;&lt;BR /&gt;&lt;SPAN&gt;...&lt;/SPAN&gt;&lt;BR /&gt;&lt;SPAN&gt;-- Applications input uses a new S1 API endpoint to reduce load on ingest.&lt;/SPAN&gt;&lt;/TD&gt;&lt;/TR&gt;&lt;/TBODY&gt;&lt;/TABLE&gt;&lt;P&gt;we upgraded the add-on from version 5.19 to version 5.20.&lt;/P&gt;&lt;P&gt;Now we're seeing the following messages in the sentinelone-modularinput.log&lt;/P&gt;&lt;TABLE border="1" width="100%"&gt;&lt;TBODY&gt;&lt;TR&gt;&lt;TD width="100%"&gt;2024-02-22 13:40:02,171 log_level=WARNING pid=41568 tid=MainThread file="sentinelone.py" function="get_channel" line_number="630" version="IA-sentinelone_app_for_splunk.5.2.0b87" action=saving_checkpoint msg='not saving checkpoint in case there was a communication error' start=1708026001000 items_found=0 channel=applications&lt;BR /&gt;2024-02-22 13:40:01,526 log_level=WARNING pid=41568 tid=MainThread file="sentinelone.py" function="get_channel" line_number="599" version="IA-sentinelone_app_for_splunk.5.2.0b87" action=calling_applications_channel status=start start=1708026001000 start_length=13 start_type=&amp;lt;class 'str'&amp;gt; end=1708630801000 end_length=13 end_type=&amp;lt;class 'str'&amp;gt; checkpoint=1708026001.525169 channel=applications&lt;BR /&gt;2024-02-22 13:40:01,526 log_level=WARNING pid=41568 tid=MainThread file="sentinelone.py" function="get_channel" line_number="580" version="IA-sentinelone_app_for_splunk.5.2.0b87" action=got_checkpoint checkpoint={'last_execution': 1708026001.525169} channel=applications last_execution=1708026001.525169&lt;BR /&gt;2024-02-22 13:40:01,525 log_level=WARNING pid=41568 tid=MainThread file="sentinelone.py" function="get_channel" line_number="565" version="IA-sentinelone_app_for_splunk.5.2.0b87" action=got_checkpoint checkpoint={'last_execution': 1708026001.525169} channel=applications type=&amp;lt;class 'dict'&amp;gt;&lt;/TD&gt;&lt;/TR&gt;&lt;/TBODY&gt;&lt;/TABLE&gt;&lt;P&gt;It appears that the input is running but we're not seeing any events.&amp;nbsp; We also noted the following in the documentation for version 5.2.0.&lt;/P&gt;&lt;TABLE&gt;&lt;TBODY&gt;&lt;TR&gt;&lt;TD width="247px"&gt;sourcetype&lt;/TD&gt;&lt;TD width="270px"&gt;SentinelOne API&lt;/TD&gt;&lt;TD width="97px"&gt;Description&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD width="247px"&gt;...&lt;/TD&gt;&lt;TD width="270px"&gt;&amp;nbsp;&lt;/TD&gt;&lt;TD width="97px"&gt;&amp;nbsp;&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD width="247px"&gt;sentinelone:channel:applications&lt;/TD&gt;&lt;TD width="270px"&gt;web/api/v2.1/installed-applications&lt;/TD&gt;&lt;TD width="97px"&gt;Deprecated&lt;/TD&gt;&lt;/TR&gt;&lt;/TBODY&gt;&lt;/TABLE&gt;&lt;TABLE&gt;&lt;TBODY&gt;&lt;TR&gt;&lt;TD&gt;sentinelone:channel:applications&lt;/TD&gt;&lt;TD&gt;web/api/v2.1/installed-applications&lt;/TD&gt;&lt;TD&gt;Deprecated&lt;/TD&gt;&lt;/TR&gt;&lt;/TBODY&gt;&lt;/TABLE&gt;&lt;P&gt;Does this mean that the input has been deprecated?&lt;/P&gt;&lt;P&gt;If so, what does the statement "&lt;SPAN&gt;Applications input uses a new S1 API endpoint to reduce load on ingest." in the release notes mean?&amp;nbsp; And why is the Applications channel still an option when creating inputs through the Splunk IU?&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;Any information you can provide on the application channel would be greatly appreciated.&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;__PRESENT&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 22 Feb 2024 21:40:52 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/SentinelOne-Applications-Channel-No-Longer-Populating-Events/m-p/678396#M113364</guid>
      <dc:creator>ericnewman</dc:creator>
      <dc:date>2024-02-22T21:40:52Z</dc:date>
    </item>
    <item>
      <title>Re: SentinelOne Applications Channel No Longer Populating Events</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/SentinelOne-Applications-Channel-No-Longer-Populating-Events/m-p/704962#M116602</link>
      <description>&lt;P&gt;We started seeing this recently as well.&amp;nbsp; Also the various S1 Splunk integrations do not understand or permit having the IA and App on the same instance so Victoria experience doesn't work properly.&amp;nbsp; This is also the case for the various scalyr dataset add ons, cannot create inputs because it complains about being on a search head.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Thu, 21 Nov 2024 16:07:25 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/SentinelOne-Applications-Channel-No-Longer-Populating-Events/m-p/704962#M116602</guid>
      <dc:creator>mstanton</dc:creator>
      <dc:date>2024-11-21T16:07:25Z</dc:date>
    </item>
  </channel>
</rss>

