Hi, my name is hamanako.
I would like to use "Windows Event Code Security Analysis", but when I select the "Lookup OverView" or "Table Analysis" menu, I get the following error.
Please let me know how to solve this problem.
Error message:
The app you requested is not available on "splunk_wineventcode_secanalysis".
The app you requested is not available on this system. Check the spelling of the app, or choose another from the following list:
Environment:
OS: Windows 2012
Splunk Enterprise 8.1.2 (Free)
Windows Event Code Security Analysis Version 1.3
file name: splunk_wineventcode_secanalysis
https://github.com/stressboi/splunk_wineventcode_secanalysis
I didn't explain it well enough.
1) Remove the current app
opt/splunk/bin/splunk remove app splunk_wineventcode_secanalysis-master
2) Download new splunk_wineventcode_secanalysis-master.zip from github
3) Extract the file. and rename the folders in the folder.
splunk_wineventcode_secanalysis-master/splunk_wineventcode_secanalysis-master/appserver(bin,default...)
↓
splunk_wineventcode_secanalysis-master/splunk_wineventcode_secanalysis/appserver(bin,default...)
4) Compress the folder
splunk_wineventcode_secanalysis/appserver(bin,default...) → splunk_wineventcode_secanalysis.zip
5) Import splunk_wineventcode_secanalysis.zip from "install app from file".
Your environment is fine.
I hope your problem is solved soon.
Please change the link to the following.
https://<hostname>/en-US/app/splunk_wineventcode_secanalysis/lookup_overview?
↓
https://<hostname>/en-US/app/splunk_wineventcode_secanalysis-master/lookup_overview?
>> mamesuke
Thank you very much for your answer.
I was able to show the "Lookup Overview" by adding "-master" to the link.
How can I get the "Lookup Overview" to appear when I click the "Lookup Overview" menu from the "Windows Event Code Security Analysis" screen?
Please remove the app and install it again.
If you download it from github, it will be named "splunk_wineventcode_secanalysis-master.zip".
But when you add it to your splunk app, rename the zip file as follows
splunk_wineventcode_secanalysis-master.zip
↓ remove "-master"
splunk_wineventcode_secanalysis.zip
>> mamesuke
I followed the instructions you provided, but to no avail.
1) Remove the current app
opt/splunk/bin/splunk remove app splunk_wineventcode_secanalysis-master
2) Download new splunk_wineventcode_secanalysis-master.zip from github
3) Rename the file to "splunk_wineventcode_secanalysis.zip"
4) Import splunk_wineventcode_secanalysis.zip from "install app from file".
On github, there is the following description
"I haven't done anything with the "properly populated signature_id field!" because I don't know how to do that, is this relevant here?
"REQUIRES COMMON INFORMATION MODEL 4.14+ with properly populated signature_id field!"
Environment:
# /opt/splunk/bin/splunk display app
Splunk_SA_CIM CONFIGURED ENABLED INVISIBLE
Splunk_TA_windows UNCONFIGURED ENABLED INVISIBLE
splunk_wineventcode_secanalysis-master UNCONFIGURED ENABLED VISIBLE
I didn't explain it well enough.
1) Remove the current app
opt/splunk/bin/splunk remove app splunk_wineventcode_secanalysis-master
2) Download new splunk_wineventcode_secanalysis-master.zip from github
3) Extract the file. and rename the folders in the folder.
splunk_wineventcode_secanalysis-master/splunk_wineventcode_secanalysis-master/appserver(bin,default...)
↓
splunk_wineventcode_secanalysis-master/splunk_wineventcode_secanalysis/appserver(bin,default...)
4) Compress the folder
splunk_wineventcode_secanalysis/appserver(bin,default...) → splunk_wineventcode_secanalysis.zip
5) Import splunk_wineventcode_secanalysis.zip from "install app from file".
Your environment is fine.
I hope your problem is solved soon.
>> mamesuke
Special Thanks!
By following the instructions you provided, the app worked as expected.
I was finally able to solve the problem.
I apologize for the late reply.
Thank you very much for your detailed explanation.