Splunk Enterprise Security

Splunk Enterprise Security: Why can't I create an ad-hoc notable event after upgrade?

Splunk Employee
Splunk Employee

We have just upgraded Splunk Enterprise 6.4.1 / Splunk Enterprise Security 4.1.1 to Splunk Enterprise 6.5.2 with Splunk Enterprise Security 4.5.2.

When I try to create an Ad-Hoc Notable Event I get the following error in the UI:

Failed to create notable event: Not Found

Firefox Debug:
https://splunk-es/en-US/splunkd/__raw/services/alerts/modaction_adhoc [HTTP/1.1 404 Not Found 16ms]

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Answering my own question for documentation purposes.

Make sure you have upgrade SplunkSACIM as well since modactionadhoc has been moved into SplunkSA_CIM in later versions. Former installation was running CIM 4.3.1, upgraded to 4.6.0 and it solved the issue.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Answering my own question for documentation purposes.

Make sure you have upgrade SplunkSACIM as well since modactionadhoc has been moved into SplunkSA_CIM in later versions. Former installation was running CIM 4.3.1, upgraded to 4.6.0 and it solved the issue.

View solution in original post

0 Karma