All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SentinelOne App Errors

dompico
Loves-to-Learn
2 weeks ago

Hello,

I'm trying to get SentinelOne data into my cloud instance but I'm getting errors similar to this related to the inputs. At first I was having an issue with authentication errors using the API. I believe that's resolved after regenerating the key, because these are the only logs I can see in the index I created for S1.

error_message="[HTTP 404] https://127.0.0.1:8089/servicesNS/nobody/sentinelone_app_for_splunk/configs/conf-authhosts/********?..." error_type="<class 'splunk.ResourceNotFound'>" error_arguments="[HTTP 404] https://127.0.0.1:8089/servicesNS/nobody/sentinelone_app_for_splunk/configs/conf-authhosts/*********..." error_filename="s1_client.py" error_line_number="162" input_guid="*****************" input_name="Threats"

Labels (3)
Tags (1)
0 Karma
Reply

aplura_llc_supp
Path Finder
2 weeks ago

Good Salutations!

That error is indicating that credentials cannot be found. It can typically happen when there are multiple SentinelOne Apps installed on the same instance (App, IA, TA). 

If there is more than one installed, remove the ones not for that tier (App => SearchHeads, IA=> HF/IDM, TA=>IDX). These should be fully removed, "rm rf" if you will, not just disabled. Removed. 

Once removed, re-configure the app and try again. 

Thanks!

0 Karma
Reply

dompico
Loves-to-Learn
2 weeks ago

Hello,

 

I only have this one app from S1 installed on the indexer/searchhead which is in Splunk cloud.

0 Karma
Reply

livehybrid
Super Champion
2 weeks ago

Hi @dompico 

I assume that this is installed on a heavy forwarder within your environment? Please can you confirm how you've installed the app? It looks like the app is looking for authhosts.conf which it cannot find. 

The app doesnt ship with this file, so I presume its generated as part of the modular input when it runs. 

Are there any other errors before this error relating to the retrieval of content from S1 that might be used to populate this conf file?

Theres a similar thread at https://community.splunk.com/t5/All-Apps-and-Add-ons/sentinelone-app-no-longer-able-to-connect-to-se...

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

dompico
Loves-to-Learn
2 weeks ago

Hello,

This is installed directly on the splunk cloud instance. I just started using splunk about a week ago. To my knowledge, I don't have cli access to modify any files. I also don't see why I would need to, as there is no mention of a need to in the instructions. They seem to have built everything you would need into the app configuration pages such as fields to input api key and whatnot.

 

I also found the thread you mentioned, but it seems no one was able to come up with a solution then either.Screenshot 2025-06-04 085635.png

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...