topic Re: Why do we get errors on the REST command in the Investigation Overview dashboard on Splunk ES? in Splunk Enterprise Security

Why do we get errors on the REST command in the Investigation Overview dashboard on Splunk ES?

hettervik — Thu, 19 Dec 2019 13:57:50 GMT

Hi,

After upgrading to Splunk ES version 6.0.0 we got the Investigation Overview dashboard, but we have some problems when running it. If we try to look for investigations far back in time, the searches on the dashboard doesn't work, and they give an error. More specifically, the search | rest splunk_server=local count=0 /services/storage/investigation/investigation all=true earliest="-90d@d" latest="now" gives the error Failed to fetch REST endpoint uri=https://127.0.0.1:8089/services/storage/investigation/investigation [...] from server https://127.0.0.1:8089 [...]. Note, it works fine if we are not looking that far back, it only throws an error if we look for investigations older than a certain time. We don't know if it's the amount of time looking back itself, or if it is a certain investigation that causes the REST call to crash, but either way this looks like a bug to me.

Anyone else have experienced the same issue, or possible have a fix?

Re: Why do we get errors on the REST command in the Investigation Overview dashboard on Splunk ES?

hettervik — Thu, 06 Feb 2020 08:54:05 GMT

We tried fixing the problem by deleting all investigations older than a certain date. This "solved" the problem for a time, but now the problem has reappeared. Again we can use the REST commando to look for investigations older than a certain date. We can't figure out why. It seems like a bug to us.

Re: Why do we get errors on the REST command in the Investigation Overview dashboard on Splunk ES?

GDustin — Fri, 23 Apr 2021 20:32:23 GMT

Having the same problem, we can walk right up to 7 days then it starts bricking, it seemed to work fine right out of the box, at first then I think once we broke 7 days age it went away; 6.0.1

variations trying to inspect:

| `investigations` all=true earliest="-8d" latest="now"

Failed to fetch REST endpoint uri=https://127.0.0.1:8089/services/storage/investigation/investigation?count=0&all=true&earliest=-8d&latest=now from server https://127.0.0.1:8089. Check that the URI path provided exists in the REST API.

Re: Why do we get errors on the REST command in the Investigation Overview dashboard on Splunk ES?

xori22 — Wed, 04 Jan 2023 16:43:04 GMT

Hi stuck on the same issue here..

works fine for specific time but when we go far from 50 days~ it breaks

any help?