Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Ad hoc adaptive response executed twice

goran_epl
Explorer
‎01-29-2021 08:45 AM

Hello,

I've created adaptive response action with Add-on builder 3.0.1. It creates a ticket in ticketing system. 

Splunk enterprise security 6.2.0 is running in a cluster. Indexers are also clustered, multi-site. Splunk is 8.0.6.

When action is triggered from saved alert, it works perfectly. When running ad hoc action from Incident review page the script gets executed twice and creates two same tickets. There is a 5 seconds difference between two actions.

Why would it be executed twice?

Goran

 

Labels (1)
Labels
0 Karma
Reply

morawi5
Explorer
‎04-09-2021 10:46 AM

@Anonymous @ebond_splunk  - Are you also seeing duplicates when using something like "ping" too?

0 Karma
Reply

ebond_splunk
Splunk Employee
Splunk Employee
‎04-09-2021 10:50 AM

Hey @morawi5 , yep,  we figured out that all dispatched adhoc mod actions are duplicating. But we also discovered the problem and implemented a fix for the next maintenance release.  If you have access to your splunk instance files, I can show you what file to update. It's a one liner fix in python. Let me know!

0 Karma
Reply

goran_epl
Explorer
‎04-12-2021 12:06 AM

Yes please. We would like to give a shot with one liner fix in python.

Can you please send it?

0 Karma
Reply

morawi5
Explorer
‎04-12-2021 05:33 AM

 

So you'll need to open file "etc/apps/Splunk_SA_CIM/bin/modaction_adhoc_rest_handler.py". And add to line 561.

'preview': 'false',

  Basically you'll want the code block to look like this:

args = {
    'output_mode': 'json',
    # CIM-944: adhoc_search_level essential to proper field extraction
    'adhoc_search_level': 'verbose',
    'preview': 'false',
    'search': search
}

 Restart afterwards - This worked from me, kudos to @ebond_splunk 

0 Karma
Reply

morawi5
Explorer
‎04-09-2021 11:04 AM

Yep, I do have access, just private messaged you.

0 Karma
Reply

morawi5
Explorer
‎04-09-2021 10:45 AM

We are also seeing the same exact situation on Splunk 8.1.1 and ES 6.4.1 

0 Karma
Reply

ebond_splunk
Splunk Employee
Splunk Employee
‎02-19-2021 09:56 AM

@goran_epl 

Were you able to find a solution? If so, there's a similar situation occurring with another customer and we're trying to figure out a solution. The issue is that we can't replicate what's going on. Any ideas?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...