Splunk Enterprise Security

Strange issue with missing menu in Enterprise Security

Path Finder

I'm hoping someone can assist me with this strange issue. For some reason my menu bar for enterprise security is gone when on the "Home" choice, i.e. it only shows the "search" choice. However, if I click on Incident Review, the bar shows up and everything else renders properly, with the exception that "Investigations" has the same issue. I've compared everything in my SplunkEnterpriseSecurity app directory with the installation tar, and have poked around in the local dir to see if anything has changed. I can even look at the source code on the page and I see the menu choices in the javascript. They just don't render. Any ideas??

alt text

alt text

0 Karma

Path Finder

Ran into the same issue with one of my customers. We found that removing the file "custom.xml" located in default/data/ui/nav in the Okta add-on fixed the issue, and still let us use the search-time parsing in ES for Okta events. I'm not sure why custom.xml is there, since it is identical to default.xml in the same directory.

This worked for me as well.

0 Karma

Splunk Employee
Splunk Employee

So, the actual problem was that the Okta TA was automatically getting "included" into the ES app, so the nav and views defined in that TA were 'a part of' the ES app. See https://docs.splunk.com/Documentation/ES/5.2.2/Install/ImportCustomApps for information on this feature of ES. By default, any app that starts with "TA-" (and others) is automatically "imported" into the ES app. Since the Okta add-on starts with "TA-" (the name is "TA-Okta_Identity_Cloud_for_Splunk"), it was getting imported and visible in ES, causing the nav issues (and other pages to show up).

To fix:
1. In the ES app, navigate to "Configure | General | App Imports Update".
2. Click on the "update_es" item to edit it.
3. Add "|TA-Okta_Identity_Cloud_for_Splunk" to the "Application Exclusion Regular Expression" field.
4. Save your changes.
5. Restart Splunk.

Path Finder

Turns out the TA for Okta was somehow affecting the dashboard. I removed it and things returned to normal.

0 Karma

Splunk Employee
Splunk Employee

Look and see if you have a nav.xml in a local directory that might be getting precedence.

0 Karma

Path Finder

Thanks for commenting on this, I had forgotten I had opened it.

Turns out the TA for Okta was somehow affecting the dashboard. I removed it and things returned to normal.

0 Karma