Which version of Cisco Security Suite have you installed? I have configured Cisco Security Suite 3.1.1 on Splunk 6.3.1 and it seems OK in most of it, apart from cisco IPS app which is not functioning, and there is a case opened in Splunk for that (ADDON-6014) and some warning signs:
Eventtype 'ciscoesaauthentication' does not exist or is disabled.
Eventtype 'ciscoesaemail' does not exist or is disabled.
Eventtype 'ciscoesaproxy' does not exist or is disabled.
for the above I simply disabled the Eventtype cisco-esa and the warning signs were gone.
Maybe a simple thing worth trying, try the installation using different Internet Browsers? I've sometimes had issues with IE, and now tend to use Firefox to configure stuff over the web.
I wanted to chime in that disabling the eventtype also fixed my warnings. As a new Splunk user, I wasn't aware that you could disable eventtypes. Thanks for posting.
Same thing happens in my environment, I'm guessing it's not completely compatible w/ 6.3. When I click help/Setup, eventually I get the message
Splunk could not perform action for resource apps/local/Splunk_CiscoSecuritySuite Splunkd daemon is not responding: ("Error connecting to /servicesNS/manderson/Splunk_CiscoSecuritySuite/apps/local/Splunk_CiscoSecuritySuite/setup: ('The read operation timed out',)",)
I'm getting the same thing on Splunk 6.2.6. When opening the app after installation I get the screen:
The "Cisco Security Suite" app has not been fully configured yet. This app has configuration properties that can be customized for this Splunk instance. Depending on the app, these properties may or may not be required.
When I click on the "Continue to app setup page" button the browser window sits there for an indefinite period of time and the app never completes setup.
Have you tried increasing your splunkdConnectionTimeout in the web.conf file - etc/system/local/web.conf? I had a similar issue when running this on my local test instance running 6.3.2. I'm using: splunkdConnectionTimeout = 1400
Thanks for the suggestion. I'd read similarly elsewhere and it looks like I have that set to 1200 on my Search Head. I'm thinking bumping it to 1400 probably won't have too much of an effect if it's already choking.
We're in the same situation but I discovered that the unresponsive/timeout on the setup screen only occurs when the app is accessed by an account that has the Splunk admin role. Using a user account that only has access to just this app and nothing else appears to work (the user is getting other errors that we're still investigating but don't appear related)
So the questions now are: What is it about the admin role that triggers this "setup" screen? Can it be bypassed or manually configured somewhere else?
I have the same experience with Splunk 6.3.3 and Cisco Enterprise Security 3.1.1. Logging in with non-admin user works fine. When I try with a user in an admin role, I am prompted to the app setup page. When I click the button, there is a delay of ~30s and then I get these errors (I intentionally obfuscated the username in the path):
Splunk could not perform action for resource apps/local/SplunkCiscoSecuritySuite Splunkd daemon is not responding: ("Error connecting to /servicesNS/username/SplunkCiscoSecuritySuite/apps/local/Splunk_CiscoSecuritySuite/setup: ('The read operation timed out',)",)
There was an error retrieving the configuration, can not process this page.