I've also noticed that it's getting a 400 Bad Request when doing a POST request to __raw/servicesNS/<username>/Splunk_Security_Essentials/search/jobs. Checking these I can see that they are all for searches like | from datamodel:Identity_Management.All_Assets | head 300000| stats count and the error that comes from searching is that the data model doesn't exist. I'm unsure if this is because something went wrong with the installation or if it's because the inventorying hasn't been completed yet.
Unfortunately I also get errors when trying to configure the Data Inventory manually where I can't attach a product to 2 categories - e.g. successful authentications & failed authentications.
I've tried resetting several times without any progress.
I'm running Splunk Enterprise 8.2.5 and Splunk Security Essentials 3.5.0.
Has anyone come across this behaviour before?
... View more