Splunk Enterprise Security

Splunk Enterprise Security: Why am I unable to create notable events?

meirwah
Engager

Issue I see in web_service.log :

2016-02-15 16:58:28,367 ERROR [56c203b3dd836e2840f0] init:340 - Mako failed to render:

Traceback (most recent call last):
File "C:Program FilesSplunkPython-2.7Libsite-packagessplunkappservermrsparklecontrollersinit.py", line 336, in render_template
return templateInstance.render(template_args)
File "C:Program FilesSplunkPython-2.7Libsite-packagesmakotemplate.py", line 443, in render
return runtime.render(self, self.callable, args, data)
File "C:Program FilesSplunkPython-2.7Libsite-packagesmakoruntime.py", line 803, in _render
kwargs_for_callable(callable, data))
File "C:Program FilesSplunkPython-2.7Libsite-packagesmakoruntime.py", line 835, in _render_context
_exec_template(inherit, lclcontext, args=args, kwargs=kwargs)
File "C:Program FilesSplunkPython-2.7Libsite-packagesmakoruntime.py", line 860, in exec_template
callable(context, *args, kwargs)
File "C:Program FilesSplunksharesplunksearch_mrsparkletemplates/layout/base.html", line 22, in render_body
<%self:render/>
File "C:Program FilesSplunksharesplunksearch_mrsparkletemplates/layout/base.html", line 28, in render_render
<%self:pagedoc/>
File "C:Program FilesSplunksharesplunksearch_mrsparkletemplates/layout/base.html", line 102, in render_pagedoc
<%next:body/>
File "C:Program FilesSplunksharesplunksearch_mrsparkletemplates/layout/view.html", line 24, in render_body
${next.body()}
File "C:Program FilesSplunksharesplunksearch_mrsparkletemplates/view/dashboard.html", line 124, in render_body
<%call expr="parent.getFloatLayoutRow(modules, rowNumber)"> 
File "C:Program FilesSplunksharesplunksearch_mrsparkletemplates/view/dashboard.html", line 327, in render_getFloatLayoutRow
<%call expr="next.getDashboardPanel(modules, panelNamesByColumn[col])"> 
File "C:Program FilesSplunksharesplunksearch_mrsparkletemplates/view/dashboard.html", line 84, in render_getDashboardPanel
<%call expr="parent.buildPanelContents(modules, groupName)"> 
File "C:Program FilesSplunksharesplunksearch_mrsparkletemplates/view/dashboard.html", line 231, in render_buildPanelContents
<%call expr="buildModule(module)"> 
File "C:Program FilesSplunksharesplunksearch_mrsparkletemplates/view/dashboard.html", line 195, in buildModule
<%def name="buildPanelContents(modules, panelName)"><%
File "C:Program FilesSplunksharesplunksearch_mrsparkletemplates/view/dashboard.html", line 189, in render_buildModule
<%include file="${module['templatePath']}" args="module=module"/>
File "C:Program FilesSplunkPython-2.7Libsite-packagesmakoruntime.py", line 730, in include_file
callable(ctx, kwargs_for_include(callable, context._data, **kwargs))
File "C:Program FilesSplunketcappsSA-ThreatIntelligenceappservermodulesNotableEventCreatorNotableEventCreator.html", line 1, in render_body
<%# Copyright (C) 2009-2012 Splunk Inc. All Rights Reserved.
File "C:Program FilesSplunketcappsSA-ThreatIntelligencebinshortcutsinit.py", line 162, in getOwners
unused_response, content = KvStoreHandler.get(None, session_key, options)
File "C:Program FilesSplunketcappsSA-UtilslibSolnCommonkvstore.py", line 37, in get
response, content = splunk.rest.simpleRequest(uri, sessionKey=session_key)
File "C:Program FilesSplunkPython-2.7Libsite-packagessplunkrestinit.py", line 529, in simpleRequest
raise splunk.ResourceNotFound(uri, extendedMessages=extractMessages(body))
ResourceNotFound: [HTTP 404] https://127.0.0.1:8089/servicesNS/nobody/SA-ThreatIntelligence/storage/collections/data/notable_owne...; [{'type': 'ERROR', 'text': 'Application is disabled: SA-ThreatIntelligence', 'code': None}]

2016-02-15 16:58:28,401 ERROR [56c203b3dd836e2840f0] init:321 - Unable to obtain template "dashboard.html":

Traceback (most recent call last):
File "C:Program FilesSplunkPython-2.7Libsite-packagessplunkappservermrsparklecontrollersinit.py", line 316, in render_template
templateInstance = mako_lookup.get_template(template_name)
File "C:Program FilesSplunkPython-2.7Libsite-packagessplunkappservermrsparklecontrollersinit.py", line 199, in get_template
raise exceptions.TopLevelLookupException(_("Splunk has failed to locate the template for uri '%s'." % uri))
TopLevelLookupException: Splunk has failed to locate the template for uri 'dashboard.html'.
0 Karma

pellegrini
Path Finder

We had same error "Error updating FIPS compliance settings."
Based on your errors above I don't think you have same issue as us but consider to add own debug logging into the Python code. See https://answers.splunk.com/answers/814828/error-updating-fips-compliance-settings-during-es.html?chi... for example.

Also look at splunkd_access.log

0 Karma

mdessus_splunk
Splunk Employee
Splunk Employee

This "Application is disabled: SA-ThreatIntelligence" is not normal. Did the ES installation went well ? Look for essinstall.log in your log directory.
Can you check which app sare not enabled, and try to enable them.

meirwah
Engager

I have this issue in the install:

2016-02-10 21:53:46,782 ERROR msg="Error updating FIPS compliance settings."
Traceback (most recent call last):
  File "C:\Program Files\Splunk\etc\apps\SplunkEnterpriseSecuritySuite\bin\install\deploy_fips_compliant_settings.py", line 138, in deployFips
    incident_review_lookup_empty = isLookupEmpty(IR_LOOKUP, IR_APP, DEFAULT_OWNER, key)
  File "C:\Program Files\Splunk\etc\apps\SplunkEnterpriseSecuritySuite\bin\install\deploy_fips_compliant_settings.py", line 65, in isLookupEmpty
    transform = SplunkLookupTransform.get(SplunkLookupTransform.build_id(lookup_name, namespace, owner), sessionKey=key)
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\models\base.py", line 548, in get
    return SplunkRESTManager(cls, sessionKey=sessionKey).get(id)
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\models\base.py", line 528, in get
    entity = self._get_entity(id, host_path=host_path)
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\models\base.py", line 444, in _get_entity
    return self._fix_entity(splunk.entity.getEntity(self.model.resource, None, sessionKey=self.sessionKey, uri=id))
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\entity.py", line 249, in getEntity
    serverResponse, serverContent = rest.simpleRequest(uri, getargs=kwargs, sessionKey=sessionKey, raiseAllErrors=True)
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\rest\__init__.py", line 529, in simpleRequest
    raise splunk.ResourceNotFound(uri, extendedMessages=extractMessages(body))
ResourceNotFound: [HTTP 404] https://127.0.0.1:8089/servicesNS/nobody/SA-ThreatIntelligence/data/transforms/lookups/incident_revi...; [{'code': None, 'text': 'Application is disabled: SA-ThreatIntelligence', 'type': 'ERROR'}]
2016-02-10 21:53:46,798 INFO Forcing refresh for identity manager modular input: category="force_asset"
0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...