Knowledge Management

Common Information Model (CIM) Data Model Editor misbehaviour and broken error reporting

DUThibault
Contributor

I've got a standalone Splunk 7.0.0 instance with data fed by a forwarder (monitoring /var/log on the forwarder's system). Following http://docs.splunk.com/Documentation/CIM/4.9.1/User/Howtousethesereferencetables, I open "Settings: (Knowledge) Data models" (the Data Model Editor) and then click on the JVM data model. I get a nasty 404 error:

404 Not Found

[Return to Splunk home page]
Page not found! [View more information about your request (request ID = 5a1dc2d0597fbc90442e50) in Search]

You are logged into ###.###.###.###:8000 as admin, which is connected to splunkd @############ at https://###.###.###.###:8089 on Tue Nov 28 15:10:56 2017.

That by itself is not something that should happen, right? But it gets better! If I click "View more information..." to try to get details about the error, a Search page comes up...with no hits. The search is:

index=_internal host="dsu_01" source=*web_service.log log_level=ERROR requestid=5a1dc2d0597fbc90442e50
No results found.

Which is particularly odd. /opt/splunk/var/log/splunk/web_service.log exists and does contain two entries (see below) for the error ID in question. Is Splunk's introspection incorrectly set up?

2017-11-28 15:10:56,464 WARNING [5a1dc2d0597fbc90442e50] view:165 - Splunk cannot load app "Splunk_SA_CIM" because it could not find a related app.conf file.
2017-11-28 15:10:56,465 INFO [5a1dc2d0597fbc90442e50] error:133 - Masking the original 404 message: 'App "Splunk_SA_CIM" does not support direct UI access. ' with 'Page not found!' for security reasons

This happens with every single one of the 23 Data Models. Now, if one is not supposed to be able to click the Data Model names at all, why is the Data Model Editor displaying links? Presumably one is supposed to just unfold the Data Model line using the ">" in the leftmost column, which does work.

0 Karma
1 Solution

smoir_splunk
Splunk Employee
Splunk Employee

After some investigation, this is likely because you're going to Settings > Data Models > Data Model Editor from the CIM Setup page. Because CIM is a non-visible app, this breaks. I filed SPL-146820 to address this as a bug.

For now, if you start in the Search and Reporting app, then go to Settings > Data Models and click a data model, everything should work fine with no 404.

View solution in original post

esmat777
Explorer

From Apps > choose Manage Apps > search for Splunk CIM

From Actions > Edit properties then Visible choose (Yes)

CIM-Addon : will work normally

smoir_splunk
Splunk Employee
Splunk Employee

After some investigation, this is likely because you're going to Settings > Data Models > Data Model Editor from the CIM Setup page. Because CIM is a non-visible app, this breaks. I filed SPL-146820 to address this as a bug.

For now, if you start in the Search and Reporting app, then go to Settings > Data Models and click a data model, everything should work fine with no 404.

sandeepduppalli
Explorer

You are right I also experienced the same . Thankyou for your input

0 Karma

DUThibault
Contributor

What makes this bug particularly sneaky is that regardless of where you reached the Data Model Editor page from, the "Apps >" menu reverts to "Apps >" so you can't tell whether or not it'll be broken.

0 Karma

DUThibault
Contributor

The Edit Datasets menu and the Pivot and (Datasets) Edit buttons are just as broken. The only things editable are permissions, acceleration, and description. It seems impossible to get something like:  image from docs.splunk.com/Documentation/CIM/4.9.1/User/Howtousethesereferencetables

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

@DUThibault, is the CIM app installed? In addition, did you clear your cache after upgrading to the new version of CIM? A lot of changes were made to the setup page, so I wonder if that is what is happening.

smoir_splunk
Splunk Employee
Splunk Employee

I realized that my comment assumed you were running 4.9.1. If you're running version 4.9.0, you will need to upgrade to version 4.9.1, this is a known issue in 4.9.0 (CIM-575) (that the setup page is not accessible).

DUThibault
Contributor

Nope, 4.8.0 upgraded to 4.9.1. How does one clear the Splunk cache?

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

@DUThibault

You can clear the splunk cache this way:
http:///en-US/_bump

And you can also try clearing the browser cache and/or trying an incognito window. If the issue persists, I would suggest working with Splunk Support to see if it's a bug that you've run into.

0 Karma

DUThibault
Contributor

Bumping the cache fixed the Data Model editing problem. Thanks!

This leaves the second layer, the error reporting problem ---assuming it's still there. But there is no easy way to test that, is there?

Oops, spoke too soon! I've found out that bumping is not the solution...The problem apparently has to do with the App selected in the Apps menu when you visit the Data Model editor. Consider these two URLs:

https://192.168.1.170:8000/en-US/manager/Splunk_SA_CIM/data_model_manager?sortKey=displayName&sortDi...
https://192.168.1.170:8000/en-US/manager/MyFirstApp/data_model_manager?sortKey=displayName&sortDirec...

In the first, clicking a data model fails as documented earlier. In the second, the various links work just fine. It does not have to be a custom app like MyFirstApp, Search or gettingstarted, etc., will also work. It seems only the Splunk_SA_CIM triggers the bug. And one of the only ways you can get there is if you are in the CIM Setup page and then choose "Settings: (Knowledge) Data models". I'll file a bug.

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

Yes, that certainly sounds like a bug. Thanks for your patience in walking through some triage steps with me!

0 Karma

DUThibault
Contributor

Looks like our license and support renewal has not gone through yet, so I can't file a bug. Maybe you could do so on my behalf?

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

I only have the ability to file a bug with engineering, but we'd need more triage to be done and details gathered by support before working a bug at that level, unfortunately. However, I'll see what I can sort out.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...