Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Incident Review and Investigations page errored out after ESS 5.3.0 upgrade

jawaharas
Motivator
‎05-27-2019 05:47 PM

After upgrading 'Splunk Enterprise Security' from version 5.1.0 to 5.3.0, 'Incident Review', and Investigations page errored out with below errors.

  1. Incident Review:
    URL: https://domain_name/en-US/app/SplunkEnterpriseSecuritySuite/incident_review
    Error Message: Unable to xml-parse the following data: %s

  2. Investigations:
    URL: https://domain_name/en-US/app/SplunkEnterpriseSecuritySuite/ess_investigation_list
    Error Message: JSON.parse: unexpected character at line 1 column 1 of the JSON data

Any help is welcome one. Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Splunker
Communicator
‎05-27-2019 07:04 PM

Try the fix for SOLNESS-18773

https://docs.splunk.com/Documentation/ES/5.3.0/RN/KnownIssues

Assuming it's ES on Windows. If that doesn't fix it, suggest contacting support (and advising the fix here too would be nice) 🙂

Cheers,

Chris.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Splunker
Communicator
‎05-27-2019 07:04 PM

Try the fix for SOLNESS-18773

https://docs.splunk.com/Documentation/ES/5.3.0/RN/KnownIssues

Assuming it's ES on Windows. If that doesn't fix it, suggest contacting support (and advising the fix here too would be nice) 🙂

Cheers,

Chris.

0 Karma
Reply
Solved! Jump to solution

jawaharas
Motivator
‎05-29-2019 07:18 PM

After replacing the python script (log.py) provided by Splunk support, the issue is fixed and it works for Linux environment as well.

1. Stop Splunk.

2. Take backup of the following two files. (e.g. log.py.bak)

$SPLUNK_HOME\etc\apps\SA-Utils\lib\SolnCommon\log.py
$SPLUNK_HOME\etc\apps\SplunkEnterpriseSecuritySuite\lib\SplunkEnterpriseSecuritySuite\log.py

3. Replace the following two files with the attached modified log.py file. (Rename the file extension to ".py" before replacing.)

$SPLUNK_HOME\etc\apps\SA-Utils\lib\SolnCommon\log.py
$SPLUNK_HOME\etc\apps\SplunkEnterpriseSecuritySuite\lib\SplunkEnterpriseSecuritySuite\log.py

4. Start Splunk again.
0 Karma
Reply
Solved! Jump to solution

Splunker
Communicator
‎05-29-2019 09:50 PM

Awesome, this will help many people. Thanks!

Chris.

0 Karma
Reply
Solved! Jump to solution

mdennis0177
New Member
‎07-17-2019 01:37 PM

I don't see the attached py file....

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎07-17-2019 01:53 PM

I think you have to get it from support.

0 Karma
Reply
Solved! Jump to solution

jawaharas
Motivator
‎05-28-2019 07:14 PM

Thanks Chris. I ve submitted case with Splunk support and will let you know the outcome of the fix.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...