Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Strange issue with missing menu in Enterprise Security

tommoore
Path Finder
‎08-21-2018 06:53 AM

I'm hoping someone can assist me with this strange issue. For some reason my menu bar for enterprise security is gone when on the "Home" choice, i.e. it only shows the "search" choice. However, if I click on Incident Review, the bar shows up and everything else renders properly, with the exception that "Investigations" has the same issue. I've compared everything in my SplunkEnterpriseSecurity app directory with the installation tar, and have poked around in the local dir to see if anything has changed. I can even look at the source code on the page and I see the menu choices in the javascript. They just don't render. Any ideas??

alt text

alt text

Preview file
108 KB
Preview file
79 KB
0 Karma
Reply

brian_rampley
Path Finder
‎04-24-2019 10:13 AM

Ran into the same issue with one of my customers. We found that removing the file "custom.xml" located in default/data/ui/nav in the Okta add-on fixed the issue, and still let us use the search-time parsing in ES for Okta events. I'm not sure why custom.xml is there, since it is identical to default.xml in the same directory.

Reply

splunk_rohitsha
Engager
‎11-13-2019 07:45 PM

This worked for me as well.

0 Karma
Reply

kcepull_splunk
Splunk Employee
Splunk Employee
‎02-20-2019 11:49 AM

So, the actual problem was that the Okta TA was automatically getting "included" into the ES app, so the nav and views defined in that TA were 'a part of' the ES app. See https://docs.splunk.com/Documentation/ES/5.2.2/Install/ImportCustomApps for information on this feature of ES. By default, any app that starts with "TA-" (and others) is automatically "imported" into the ES app. Since the Okta add-on starts with "TA-" (the name is "TA-Okta_Identity_Cloud_for_Splunk"), it was getting imported and visible in ES, causing the nav issues (and other pages to show up).

To fix:
1. In the ES app, navigate to "Configure | General | App Imports Update".
2. Click on the "update_es" item to edit it.
3. Add "|TA-Okta_Identity_Cloud_for_Splunk" to the "Application Exclusion Regular Expression" field.
4. Save your changes.
5. Restart Splunk.

Reply

tommoore
Path Finder
‎12-20-2018 06:41 AM

Turns out the TA for Okta was somehow affecting the dashboard. I removed it and things returned to normal.

0 Karma
Reply

sjohnson_splunk
Splunk Employee
Splunk Employee
‎12-20-2018 06:32 AM

Look and see if you have a nav.xml in a local directory that might be getting precedence.

0 Karma
Reply

tommoore
Path Finder
‎12-20-2018 06:41 AM

Thanks for commenting on this, I had forgotten I had opened it.

Turns out the TA for Okta was somehow affecting the dashboard. I removed it and things returned to normal.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...