All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

SentinelOne API key failing for Splunk App

si_CE
Engager
‎03-31-2026 07:56 AM

This recently worked before - From the Sentinel One side - I have access to one of their admin to re-generate keys. They reported that they are unable to provide legacy api tokens for the Splunk App dating back to 2024. We have changed the API key with success as recently as this year. 

Upgraded IA-sentinelone_app_for_splunk to 6.0.0 

Curl fails from the HF which also worked before. Not likely an app issue, but wondering if a new configuration is required. 

 

Has anyone else encountered something similar?

Labels (1)
Labels
0 Karma
Reply

si_CE
Engager
‎03-31-2026 11:17 AM

Auth errors were internal -- we able to use the new JWS token created on sentinel1 under service accounts. 

This did not work yesterday, but within 24 hours of bringing it to their attention, so I am not sure what changed. 

If I am able to reverse-engineer what was changed, I will post here. 

Reply

kknairr
Contributor
‎03-31-2026 10:04 PM

@si_CE Sounds good. Thank you.

0 Karma
Reply

kknairr
Contributor
‎03-31-2026 10:45 AM

@si_CE Did you check the internal logs for any related errors? That would help us understand the issue. As per your query, I presume this is an authentication issue, which can be confirmed from the internal logs for the app/add-on input. 

Please confirm your splunk enterprise version and ensure its compatibility with App version on HF.

The below should be the new add on (TA) which should be installed on the HF.

Input Add On for SentinelOne App For Splunk | Splunkbase

>>

If this post addressed your question, you can:

  • Give it karma to show appreciation 👍
  • Mark it as the solution if it solved your issue ✔️
  • Add a comment if you’d like more details ✏️

Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise.

>>

 

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...