Solved: Splunk Enterprise Security: Why can't I create an ...

abalogh_splunk · ‎04-10-2017

We have just upgraded Splunk Enterprise 6.4.1 / Splunk Enterprise Security 4.1.1 to Splunk Enterprise 6.5.2 with Splunk Enterprise Security 4.5.2.

When I try to create an Ad-Hoc Notable Event I get the following error in the UI:

Failed to create notable event: Not Found

Firefox Debug:
https://splunk-es/en-US/splunkd/__raw/services/alerts/modaction_adhoc [HTTP/1.1 404 Not Found 16ms]

abalogh_splunk · ‎04-10-2017

Answering my own question for documentation purposes.

Make sure you have upgrade Splunk_SA_CIM as well since modaction_adhoc has been moved into Splunk_SA_CIM in later versions. Former installation was running CIM 4.3.1, upgraded to 4.6.0 and it solved the issue.

View solution in original post

abalogh_splunk · ‎04-10-2017

Answering my own question for documentation purposes.

Make sure you have upgrade Splunk_SA_CIM as well since modaction_adhoc has been moved into Splunk_SA_CIM in later versions. Former installation was running CIM 4.3.1, upgraded to 4.6.0 and it solved the issue.

Splunk Enterprise Security: Why can't I create an ad-hoc notable event after upgrade?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes