Splunk Enterprise Security

Strange issue with missing menu in Enterprise Security

tommoore
Path Finder

I'm hoping someone can assist me with this strange issue. For some reason my menu bar for enterprise security is gone when on the "Home" choice, i.e. it only shows the "search" choice. However, if I click on Incident Review, the bar shows up and everything else renders properly, with the exception that "Investigations" has the same issue. I've compared everything in my SplunkEnterpriseSecurity app directory with the installation tar, and have poked around in the local dir to see if anything has changed. I can even look at the source code on the page and I see the menu choices in the javascript. They just don't render. Any ideas??

alt text

alt text

0 Karma

brian_rampley
Path Finder

Ran into the same issue with one of my customers. We found that removing the file "custom.xml" located in default/data/ui/nav in the Okta add-on fixed the issue, and still let us use the search-time parsing in ES for Okta events. I'm not sure why custom.xml is there, since it is identical to default.xml in the same directory.

splunk_rohitsha
Engager

This worked for me as well.

0 Karma

kcepull_splunk
Splunk Employee
Splunk Employee

So, the actual problem was that the Okta TA was automatically getting "included" into the ES app, so the nav and views defined in that TA were 'a part of' the ES app. See https://docs.splunk.com/Documentation/ES/5.2.2/Install/ImportCustomApps for information on this feature of ES. By default, any app that starts with "TA-" (and others) is automatically "imported" into the ES app. Since the Okta add-on starts with "TA-" (the name is "TA-Okta_Identity_Cloud_for_Splunk"), it was getting imported and visible in ES, causing the nav issues (and other pages to show up).

To fix:
1. In the ES app, navigate to "Configure | General | App Imports Update".
2. Click on the "update_es" item to edit it.
3. Add "|TA-Okta_Identity_Cloud_for_Splunk" to the "Application Exclusion Regular Expression" field.
4. Save your changes.
5. Restart Splunk.

tommoore
Path Finder

Turns out the TA for Okta was somehow affecting the dashboard. I removed it and things returned to normal.

0 Karma

sjohnson_splunk
Splunk Employee
Splunk Employee

Look and see if you have a nav.xml in a local directory that might be getting precedence.

0 Karma

tommoore
Path Finder

Thanks for commenting on this, I had forgotten I had opened it.

Turns out the TA for Okta was somehow affecting the dashboard. I removed it and things returned to normal.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...