All Apps and Add-ons

"Host Input" dropdown

andreibanaru
Explorer

The host input dropdown in the Netskope App shows an error that it "Cound not create search.".

By looking at the dashboard xml source we observe:

            <label>Host Input</label>
            <default>*</default>
            <choice value="*">All</choice>
            <search>
                <query>| `netskope_configured_inputs`</query>
                <earliest>$time_range.earliest$</earliest>
                <latest>$time_range.latest$</latest>
            </search>

If we remove the leading pipe (|) from the query the error is gone.

The dropdown will now show the FQDN of the Netskope server which feeds the events. I'm wondering if this is the expected behavior. I would have expected to see the computer names under this dropdown.

alt text

0 Karma

aplura_llc_supp
Path Finder

v1.1.0 and v1.0.5 do contain this bug. The macro behind the dropdown was reconfigured, but this dropdown was missed. Look for a new maintenance release to fix this.

The app will also change from "Host Input" to something more clear, as it was intended to be the source Netskope tenant.

The macro should be changed to:

[netskope_configured_inputs]
definition = tstats count where sourcetype=netskope:* by host | fields host

Thanks!

0 Karma

aplura_llc_supp
Path Finder

@andreibanaru v1.1.1 was released to fix that bug. Thanks.

0 Karma

aplura_llc_supp
Path Finder

@andreibanaru What is the version you are using?

0 Karma

andreibanaru
Explorer

Version 1.0.5

0 Karma

aplura_llc_supp
Path Finder

This bug is also present in v1.1.0, so it will be fixed in v1.1.1.

0 Karma

andreibanaru
Explorer

Yeah, we've just installed 1.1.0 and we have the same behavior.

0 Karma

dkeck
Influencer

HI,

depends on how your macro is set up, if it also starts with a pipe, its logical that it will not work if you have two.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...