Hi,
after several re-runs of the introspection, I'm basically out of ideas.
I'm having the strange behaviour, that the first four sourcetype-based searches in step two never complete. My first thought was that there has to be an issue with the searches itselves (first searches are all about AWS). Trying to cancel the specific search results in a TypeError:
data_inventory_introspection.js?bust=10263:2501 Uncaught TypeError: intro_steps[stage].cancel is not a function
at HTMLAnchorElement.<anonymous> (data_inventory_introspection.js?bust=10263:2501)
at HTMLAnchorElement.dispatch (common.js:26)
at HTMLAnchorElement.elemData.handle (common.js:26)
After digging into the sourcecode of app/Splunk_Security_Essentials/components/controls/data_inventory_introspection.js I've noticed, that you can't skip not-running/pending searches at all:
// line 369-371
let shouldCancel = false
if(intro_elements[sourcetypeLookup['productId']].status == "searching"){
shouldCancel = true
}
Next I deleted the corresponding elements from the array/object in runtime (e.g. Developer Tools in Chrome) before running the introspection:
delete(intro_elements["AWS__CloudTrail"])
delete(intro_elements["AWS__CloudWatch"])
delete(intro_elements["AWS__Config"])
delete(intro_elements["AWS__S3"])
delete(intro_elements["AWS__VPC_Flow_Logs"])
This actually worked. The searches have been 'skipped' (well they don't exist anymore) but now the next four searches are not beeing completed. While all this happens, CIM Searches in Step one stay queued and not start at all.
I would really appreciate any help
... View more