Re: vectra integration

aly347774 · ‎02-04-2024

when I go to search head to change configuration of TA_vectra_detect_json I find this (You do not have permissions to edit this configuration.)

aly347774 · ‎02-05-2024

When I go to SearchHead to edit, it tells me this message (You do not have permissions to edit this configuration)

Richfez · ‎02-06-2024

Yes. IF you have a search head cluster (shc), AND you are trying to edit the config on one of the members instead of on the deployer, THEN that's exactly the message I expect you to get.

It *might* be possible to get that if you simply don't have some permission or another that's required, but I think those messages are different ones.

So - Do you have a search head cluster?

If you don't know, then ask your Splunk folks and/or have them manage this config for you.

If you are the Splunk person and don't know what I'm saying (and you built it) then you don't have a SHC and we'll have to look into other things.

(Also, please be careful as to *which* "reply" button you click, so we can keep the threads going correctly instead of being willy-nilly all over the place!)

Richfez · ‎02-05-2024

That specific error is usually caused by you having a Search Head Cluster, then trying to edit configs on a Search Head Member instead of via the Deployer then deploying it.

See this for more information.

https://docs.splunk.com/Documentation/Splunk/9.2.0/DistSearch/PropagateSHCconfigurationchanges

If that does not seem to be the problem here, then reply back with a few more specifics!

vectra integration

heavy forwarder

indexer

universal forwarder

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?