Installation

"Windows Event Code Security Analysis" not work

hamanako
Explorer

Hi, my name is hamanako.

I would like to use "Windows Event Code Security Analysis", but when I select the "Lookup OverView" or "Table Analysis" menu, I get the following error.

Please let me know how to solve this problem.

Error message:
  The app you requested is not available on "splunk_wineventcode_secanalysis".
  The app you requested is not available on this system. Check the spelling of the app, or choose another from the following list:

Environment:
  OS:  Windows 2012
  Splunk Enterprise 8.1.2 (Free)

  Windows Event Code Security Analysis Version 1.3
    file name: splunk_wineventcode_secanalysis
https://github.com/stressboi/splunk_wineventcode_secanalysis

 

 

Labels (1)
0 Karma
1 Solution

mamesuke
Explorer

I didn't explain it well enough.


1) Remove the current app
      opt/splunk/bin/splunk remove app splunk_wineventcode_secanalysis-master
2) Download new splunk_wineventcode_secanalysis-master.zip from github

3) Extract the file. and rename the folders in the folder.
 splunk_wineventcode_secanalysis-master/splunk_wineventcode_secanalysis-master/appserver(bin,default...)

splunk_wineventcode_secanalysis-master/splunk_wineventcode_secanalysis/appserver(bin,default...)

4) Compress the folder
 splunk_wineventcode_secanalysis/appserver(bin,default...) → splunk_wineventcode_secanalysis.zip

5) Import splunk_wineventcode_secanalysis.zip from "install app from file".

Your environment is fine.

I hope your problem is solved soon.

View solution in original post

mamesuke
Explorer

Please change the link to the following.

https://<hostname>/en-US/app/splunk_wineventcode_secanalysis/lookup_overview? 

https://<hostname>/en-US/app/splunk_wineventcode_secanalysis-master/lookup_overview?

hamanako
Explorer

>> mamesuke 

Thank you very much for your answer.
I was able to show the "Lookup Overview" by adding "-master" to the link.

How can I get the "Lookup Overview" to appear when I click the "Lookup Overview" menu from the "Windows Event Code Security Analysis" screen?

 

 

0 Karma

mamesuke
Explorer

Please remove the app and install it again.

If you download it from github, it will be named "splunk_wineventcode_secanalysis-master.zip".

But when you add it to your splunk app, rename the zip file as follows

splunk_wineventcode_secanalysis-master.zip

↓   remove "-master"

splunk_wineventcode_secanalysis.zip

0 Karma

hamanako
Explorer

>> mamesuke

I followed the instructions you provided, but to no avail.

 1) Remove the current app
      opt/splunk/bin/splunk remove app splunk_wineventcode_secanalysis-master
 2) Download new splunk_wineventcode_secanalysis-master.zip from github
 3) Rename the file to "splunk_wineventcode_secanalysis.zip"
 4) Import splunk_wineventcode_secanalysis.zip from "install app from file".

On github, there is the following description
"I haven't done anything with the "properly populated signature_id field!" because I don't know how to do that, is this relevant here?

 "REQUIRES COMMON INFORMATION MODEL 4.14+ with properly populated signature_id field!"

Environment:
# /opt/splunk/bin/splunk display app
  Splunk_SA_CIM CONFIGURED ENABLED INVISIBLE
  Splunk_TA_windows UNCONFIGURED ENABLED INVISIBLE
  splunk_wineventcode_secanalysis-master UNCONFIGURED ENABLED VISIBLE

0 Karma

mamesuke
Explorer

I didn't explain it well enough.


1) Remove the current app
      opt/splunk/bin/splunk remove app splunk_wineventcode_secanalysis-master
2) Download new splunk_wineventcode_secanalysis-master.zip from github

3) Extract the file. and rename the folders in the folder.
 splunk_wineventcode_secanalysis-master/splunk_wineventcode_secanalysis-master/appserver(bin,default...)

splunk_wineventcode_secanalysis-master/splunk_wineventcode_secanalysis/appserver(bin,default...)

4) Compress the folder
 splunk_wineventcode_secanalysis/appserver(bin,default...) → splunk_wineventcode_secanalysis.zip

5) Import splunk_wineventcode_secanalysis.zip from "install app from file".

Your environment is fine.

I hope your problem is solved soon.

hamanako
Explorer

>> mamesuke

Special Thanks!

By following the instructions you provided, the app worked as expected.
I was finally able to solve the problem.

I apologize for the late reply.
Thank you very much for your detailed explanation.

 

 

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...