- Splunk Answers
- :
- Splunk Administration
- :
- Installation
- :
- "Windows Event Code Security Analysis" not work
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, my name is hamanako.
I would like to use "Windows Event Code Security Analysis", but when I select the "Lookup OverView" or "Table Analysis" menu, I get the following error.
Please let me know how to solve this problem.
Error message:
The app you requested is not available on "splunk_wineventcode_secanalysis".
The app you requested is not available on this system. Check the spelling of the app, or choose another from the following list:
Environment:
OS: Windows 2012
Splunk Enterprise 8.1.2 (Free)
Windows Event Code Security Analysis Version 1.3
file name: splunk_wineventcode_secanalysis
https://github.com/stressboi/splunk_wineventcode_secanalysis
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I didn't explain it well enough.
1) Remove the current app
opt/splunk/bin/splunk remove app splunk_wineventcode_secanalysis-master
2) Download new splunk_wineventcode_secanalysis-master.zip from github
3) Extract the file. and rename the folders in the folder.
splunk_wineventcode_secanalysis-master/splunk_wineventcode_secanalysis-master/appserver(bin,default...)
↓
splunk_wineventcode_secanalysis-master/splunk_wineventcode_secanalysis/appserver(bin,default...)
4) Compress the folder
splunk_wineventcode_secanalysis/appserver(bin,default...) → splunk_wineventcode_secanalysis.zip
5) Import splunk_wineventcode_secanalysis.zip from "install app from file".
Your environment is fine.
I hope your problem is solved soon.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please change the link to the following.
https://<hostname>/en-US/app/splunk_wineventcode_secanalysis/lookup_overview?
↓
https://<hostname>/en-US/app/splunk_wineventcode_secanalysis-master/lookup_overview?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
>> mamesuke
Thank you very much for your answer.
I was able to show the "Lookup Overview" by adding "-master" to the link.
How can I get the "Lookup Overview" to appear when I click the "Lookup Overview" menu from the "Windows Event Code Security Analysis" screen?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please remove the app and install it again.
If you download it from github, it will be named "splunk_wineventcode_secanalysis-master.zip".
But when you add it to your splunk app, rename the zip file as follows
splunk_wineventcode_secanalysis-master.zip
↓ remove "-master"
splunk_wineventcode_secanalysis.zip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
>> mamesuke
I followed the instructions you provided, but to no avail.
1) Remove the current app
opt/splunk/bin/splunk remove app splunk_wineventcode_secanalysis-master
2) Download new splunk_wineventcode_secanalysis-master.zip from github
3) Rename the file to "splunk_wineventcode_secanalysis.zip"
4) Import splunk_wineventcode_secanalysis.zip from "install app from file".
On github, there is the following description
"I haven't done anything with the "properly populated signature_id field!" because I don't know how to do that, is this relevant here?
"REQUIRES COMMON INFORMATION MODEL 4.14+ with properly populated signature_id field!"
Environment:
# /opt/splunk/bin/splunk display app
Splunk_SA_CIM CONFIGURED ENABLED INVISIBLE
Splunk_TA_windows UNCONFIGURED ENABLED INVISIBLE
splunk_wineventcode_secanalysis-master UNCONFIGURED ENABLED VISIBLE
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I didn't explain it well enough.
1) Remove the current app
opt/splunk/bin/splunk remove app splunk_wineventcode_secanalysis-master
2) Download new splunk_wineventcode_secanalysis-master.zip from github
3) Extract the file. and rename the folders in the folder.
splunk_wineventcode_secanalysis-master/splunk_wineventcode_secanalysis-master/appserver(bin,default...)
↓
splunk_wineventcode_secanalysis-master/splunk_wineventcode_secanalysis/appserver(bin,default...)
4) Compress the folder
splunk_wineventcode_secanalysis/appserver(bin,default...) → splunk_wineventcode_secanalysis.zip
5) Import splunk_wineventcode_secanalysis.zip from "install app from file".
Your environment is fine.
I hope your problem is solved soon.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
>> mamesuke
Special Thanks!
By following the instructions you provided, the app worked as expected.
I was finally able to solve the problem.
I apologize for the late reply.
Thank you very much for your detailed explanation.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
