All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can't perform a GET action with this add-on

pwild_splunk
Splunk Employee
Splunk Employee
‎04-28-2020 12:14 AM

I'm trying to perform a simple GET action with this add-on but I'm not GETing anywhere.

This is being reported in the logs.

ERROR sendmodalert - Error in 'sendalert' command: Alert script returned error code 4.

Looking through the code this error reports if the CIM app is not installed. Installing the app makes no difference.

I'm setting these within the alert
Endpoint: http://host.domain.local:5000/command
Query string params: cmd=disarm&master_pin=ABCD
http method: GET

Any suggestions as to what I'm doing wrong?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

brendanmacooper
Explorer
‎04-28-2020 12:31 AM

@pwild_splunk Can you try setting the ingestion index. There was a bug where this option needed to be set even if it wasn't used.

I have a new version for Splunk 8 coming out soon™ that will fix this and a couple of other issues

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

brendanmacooper
Explorer
‎04-28-2020 12:31 AM

@pwild_splunk Can you try setting the ingestion index. There was a bug where this option needed to be set even if it wasn't used.

I have a new version for Splunk 8 coming out soon™ that will fix this and a couple of other issues

0 Karma
Reply
Solved! Jump to solution

pwild_splunk
Splunk Employee
Splunk Employee
‎04-28-2020 10:03 AM

Thanks Brendan, I already had the ingestion index set when I was getting that error. However... I put dummy data in every field and that solved the problem. The only field I didn't have data in was "Ingestion safety max size" which I arbitrarily set to 200 (I assume this is bytes???). This solved the problem.
Many thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...