Splunk Enterprise Security

Incident Review | Search is waiting for input...

virchenko
Explorer

Hello all!
I'm having trouble with Enterprise Security => Incident Review page.
all time "Search is waiting for input..."
Urgency is empty, grafic is empty.
but at Security Posture page i have events.
Has anyone had this problem in past?
how can i troubleshoot it?alt text

0 Karma

ibmresilient
Path Finder

Ok, figure out the "problem" for us at least. Splunk ES 4.7.2 is not compatible with Splunk 7.2.1. We roll back to Splunk 6.6, and this error message disappeared.

0 Karma

sharkie
Engager

Why not upgrade Splunk ES instead? There are new features which makes it worthwhile.

0 Karma

ibmresilient
Path Finder

I have the same problem, running Splunk 7.2.1 and Splunk ES 4.7.2. Anyone knows how to fix it please?

0 Karma

patriciachavez
New Member

Have you managed to solve it? The same thing happens to me with the PCI app, I have identified errors within the _internal logs with the search "index = _internal sourcetype = splunk_web_service component = error" apparently it is a js theme

In my case it looks for a js that does not find InvestigationBarViewWrapper.js in / etc / apps / SplunkEnterpriseSecuritySuite / appserver / static / but I can not find it if it is generated dynamically.

509 INFO [5ba2e020817f21c03fa2d0] error:311 - Masking the original 404 message: 'The path '/en-US/static/@a0c72a66db66/app/SplunkEnterpriseSecuritySuite/InvestigationBarViewWrapper.js' was not found.' with 'Page not found!' for security reasons

But I can not solve it 😞 Do you have any new status?

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

Hi @virchenko. Thanks for your question! Did the answer below solve your question? If yes, please click “Accept” directly below the answer to resolve the post. If not, please comment with more information if you are still having issues.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi @virchenko,

You need to provide Correlation Search Name and you need to provide timeframe as well instead of "All Time".

If you want to check Notable Events from Security Posture page in Incident Review then just click on Correlation Search Name under "Top Notable Events" which will drilldown (redirect) you to Incident Review page.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi @virchenko,

You need to provide Correlation Search Name and you need to provide timeframe as well instead of "All Time".

If you want to check Notable Events from Security Posture page in Incident Review then just click on Correlation Search Name under "Top Notable Events" which will drilldown (redirect) you to Incident Review page.

0 Karma

virchenko
Explorer

thanks for answer
it'll work, when it page is work correct.
i haven't ane reaction of changing Correlation Search Name or other filters.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...