Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Bug[?] in SSE 3.0 Data Introspection Status
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
after several re-runs of the introspection, I'm basically out of ideas.
I'm having the strange behaviour, that the first four sourcetype-based searches in step two never complete. My first thought was that there has to be an issue with the searches itselves (first searches are all about AWS). Trying to cancel the specific search results in a TypeError:
data_inventory_introspection.js?bust=10263:2501 Uncaught TypeError: intro_steps[stage].cancel is not a function
at HTMLAnchorElement.<anonymous> (data_inventory_introspection.js?bust=10263:2501)
at HTMLAnchorElement.dispatch (common.js:26)
at HTMLAnchorElement.elemData.handle (common.js:26)
After digging into the sourcecode of app/Splunk_Security_Essentials/components/controls/data_inventory_introspection.js I've noticed, that you can't skip not-running/pending searches at all:
// line 369-371
let shouldCancel = false
if(intro_elements[sourcetypeLookup['productId']].status == "searching"){
shouldCancel = true
}
Next I deleted the corresponding elements from the array/object in runtime (e.g. Developer Tools in Chrome) before running the introspection:
delete(intro_elements["AWS__CloudTrail"])
delete(intro_elements["AWS__CloudWatch"])
delete(intro_elements["AWS__Config"])
delete(intro_elements["AWS__S3"])
delete(intro_elements["AWS__VPC_Flow_Logs"])
This actually worked. The searches have been 'skipped' (well they don't exist anymore) but now the next four searches are not beeing completed. While all this happens, CIM Searches in Step one stay queued and not start at all.
I would really appreciate any help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have an odd solution/workaround for this.
Ofc i was fully aware, that deleting the array elements would prob. mess things up and decided to remove anything AWS related (although the problem isn't specific to the AWS searches) from the source.
So I've used the Lookup Editor Add-On to remove them from the Lookups
- KV Store:
data_inventory_products - CSV File:
SSE-default-data-inventory-products.csv(to prevent from beeing loaded in the KV Store again)
After that, I've refreshed via https://yoursplunkhost/en-GB/debug/refresh
Well, this didn't change anything. After resetting and re-run the introspection, I experienced the same behaviour BUT after adding the entries back to the CSV and KV Store, the introspection ran as intended.
I have no idea if there is a legit issue with the procedure where the KV Store is initially filled with the contents of the CSV file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on you own findings I found that the Data in my kv store lookup "data_inventory_products_lookup" was likely outdated from a previous version.
So my issue was fixed by:
| inputlookup SSE-default-data-inventory-products.csv
| outputlookup data_inventory_products_lookup
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Peter,
I tried that query and now get the following error:
Error!
Received the following error:
Description Message
Error occurred while grabbing data_inventory_products 'stage'
Error during Data Availability Enrichment 'list' object has no attribute 'split'
Got any advice for how to fix that?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, now you should have the buttons for Introspection back and there is a button in the popup menu, that says "Reset all Configurations".
Hit it and afterwards it should be fine again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have an odd solution/workaround for this.
Ofc i was fully aware, that deleting the array elements would prob. mess things up and decided to remove anything AWS related (although the problem isn't specific to the AWS searches) from the source.
So I've used the Lookup Editor Add-On to remove them from the Lookups
- KV Store:
data_inventory_products - CSV File:
SSE-default-data-inventory-products.csv(to prevent from beeing loaded in the KV Store again)
After that, I've refreshed via https://yoursplunkhost/en-GB/debug/refresh
Well, this didn't change anything. After resetting and re-run the introspection, I experienced the same behaviour BUT after adding the entries back to the CSV and KV Store, the introspection ran as intended.
I have no idea if there is a legit issue with the procedure where the KV Store is initially filled with the contents of the CSV file.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
