- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Why does the Splunk Security Essentials app has mi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have Splunk Security Essentials 2.1.0 installed on our Development Splunk search head v. 7.0.1
We've recently noticed that It stopped displaying pictures, doing checks are not working, etc .
It started around the time it was updated to v. 2.0.0
We reinstalled the app - the same issue.
At the same time, it works ok on other standalone search head (which cannot be used).
We need SSE to be available on our the server where it has issues.
Any advice where to look first?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update 10/7/2019
There have been numerous bug fixes in SSE 2.4 and 2.5 to attempt to work around Issues Two and Three below. Those should not pop up anymore (though if you think they impact you, please reach out!).
Number one is an underlying issue in Splunk Enterprise, though we also attempt to work around this in SSE. If you have admin rights, we will automatically issue a _bump when you browse to the app after an upgrade. This is a bit hacky, so you can always issue a _bump directly as detailed below.
We've seen three causes for this. If none of those scenarios seem to fit the bill for your environment, let me know and we can set up a webex to go through it.
Number One: Most Likely
The most common culprit for this is a core bug with refreshing static assets. To get around this, run a _bump by browsing to http://yoursplunk:8000/en-US/_bump and click the button.
Number Two: Less Likely
Another environment was using an SSL terminating proxy, but not rewriting http to https on 302 redirects. The root cause here is that Splunk Security Essentials makes no assumption for what language you use in your environment, and makes requests to /static/app/Splunk_Security_Essentials/... for images, javascript, css, json files, etc. Normally Splunk will then provide a 302 redirect to /en-US/static/app/Splunk_Security_Essentials/... adding the language code on the front (obviously this will be whatever language the user's browser uses, not necessarily en-US). If your SSL load balancer automatically re-writes normal requests from HTTP to HTTPS for you, but doesn't re-write 302 redirects, then all of a sudden your browser will be trying to request an HTTP page and the load balancer won't know what it's talking about.
Number Three: Even Less Likely
Like number two, Splunk automatically prepends a language to the URL of all requests via 302 redirect. If I request assets like /static/app/Splunk_Security_Essentials/images/general_images/nobookmark.png, Splunk will automatically 302 redirect the session to /en-US/static/app/Splunk_Security_Essentials/images/general_images/nobookmark.png (presuming that I am using a browser configured for US English).
The load balancer this customer was using was happy handling the redirect if someone went to just the root page (e.g., https://splunk.mycompany.com/) but if they gave a URL of https://splunk.mycompany.com/static/app/Splunk_Security_Essentials/images/general_images/nobookmark...., the load balancer would return a 404 instead of a 302 redirect to the correct language: https://splunk.mycompany.com/en-US/static/app/Splunk_Security_Essentials/images/general_images/noboo...
Not knowing all the ins and outs of every customer's load balancer configs, there could be many different solutions. The easiest two, though, are likely either of:
- forward all requests to Splunk so that Splunk can provide the redirect
- build a translation rule for /static to /en-US/static so that the load balancer will know not to return a 404.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"SSE-313 Splunk Security Essentials 3.3.3 not loading images (png files) behind Apache haproxy load balanced servers" logged.
https://wiki.splunk.com/Community:SplunkBehindAProxy
# catch all static asset requests RewriteRule ^/(static.*) /mysplunk/$1 [P]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This solved on apache lb:
RewriteRule ^/(static.*) /mysplunkendpoint/$1 [P]
https://wiki.splunk.com/Community:SplunkBehindAProxy
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update 10/7/2019
There have been numerous bug fixes in SSE 2.4 and 2.5 to attempt to work around Issues Two and Three below. Those should not pop up anymore (though if you think they impact you, please reach out!).
Number one is an underlying issue in Splunk Enterprise, though we also attempt to work around this in SSE. If you have admin rights, we will automatically issue a _bump when you browse to the app after an upgrade. This is a bit hacky, so you can always issue a _bump directly as detailed below.
We've seen three causes for this. If none of those scenarios seem to fit the bill for your environment, let me know and we can set up a webex to go through it.
Number One: Most Likely
The most common culprit for this is a core bug with refreshing static assets. To get around this, run a _bump by browsing to http://yoursplunk:8000/en-US/_bump and click the button.
Number Two: Less Likely
Another environment was using an SSL terminating proxy, but not rewriting http to https on 302 redirects. The root cause here is that Splunk Security Essentials makes no assumption for what language you use in your environment, and makes requests to /static/app/Splunk_Security_Essentials/... for images, javascript, css, json files, etc. Normally Splunk will then provide a 302 redirect to /en-US/static/app/Splunk_Security_Essentials/... adding the language code on the front (obviously this will be whatever language the user's browser uses, not necessarily en-US). If your SSL load balancer automatically re-writes normal requests from HTTP to HTTPS for you, but doesn't re-write 302 redirects, then all of a sudden your browser will be trying to request an HTTP page and the load balancer won't know what it's talking about.
Number Three: Even Less Likely
Like number two, Splunk automatically prepends a language to the URL of all requests via 302 redirect. If I request assets like /static/app/Splunk_Security_Essentials/images/general_images/nobookmark.png, Splunk will automatically 302 redirect the session to /en-US/static/app/Splunk_Security_Essentials/images/general_images/nobookmark.png (presuming that I am using a browser configured for US English).
The load balancer this customer was using was happy handling the redirect if someone went to just the root page (e.g., https://splunk.mycompany.com/) but if they gave a URL of https://splunk.mycompany.com/static/app/Splunk_Security_Essentials/images/general_images/nobookmark...., the load balancer would return a 404 instead of a 302 redirect to the correct language: https://splunk.mycompany.com/en-US/static/app/Splunk_Security_Essentials/images/general_images/noboo...
Not knowing all the ins and outs of every customer's load balancer configs, there could be many different solutions. The easiest two, though, are likely either of:
- forward all requests to Splunk so that Splunk can provide the redirect
- build a translation rule for /static to /en-US/static so that the load balancer will know not to return a 404.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@David Splunk ,
sorry for a delay.
Neither of those scenarios are the case, can we setup up a webex to go through it as you suggested?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
did this get resolved?
any info on how you fixed it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@usmsplunk, sorry for the delay. Yes, we solved it with help of @David Veuve and with help of our Web Hosting admin.
In our case , we are using apache web server on search heads, so we updated /etc/httpd/conf.d/splunk.conf as root on our search head server
with the following entries:
….
ProxyPass /static https://ourserver.company.com:8443/static
ProxyPass /static/app https://ourserver.company.com:8443/static/app
ProxyPassReverse /static https://ourserver.company.com:8443/static
ProxyPassReverse /static/app https://ouserver.company.com:8443/static/app
….
And restarted apache: service httpd restart
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
..._bump worked for me so far 7.0.3 and 2.2.0
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
