Security

Splunk Cisco Security Suite

jgauthier
Contributor

I noticed that Splunk for Cisco Security Suite is available and replaced the previous named product.

I removed the old product my apps, installed this one and restarted Splunk.

When I went to use the App, Splunk indicated the app was not set up. So, I went to the set up page, I see there is nothing to do, so I click "Save".

Then this error is presented:

"Your entry was not saved. The following error was reported: undefined."

Thanks for any help!

1 Solution

LukeMurphey
Champion

You can bypass the setup screen by setting is_configured to true in app.conf. To do so, open etc/apps/Splunk_CiscoSecuriySuite/local/app.conf (or create it if it does not exist) and enter the following:

[install]
is_configured = true

You may need to restart Splunk after editing the config file. Splunk won't force you to view the setup screen once it recognizes the app is considered configured.

View solution in original post

lhy719
New Member

I encounter a similar problem. I followed instruction on 'Setup screen example using a custom endpoint', and get the same error message when I save configuration changes on Web UI.

Content of my restmap.conf,

[admin:myendpoint] match=/appset members=appsettings [admin_external:appsettings] handlertype = python handlerfile = App_python_handler.py handleractions = list, edit

Content of my App_python_handler.py,

import splunk.admin as admin import splunk.entity as en class ConfigApp(admin.MConfigHandler): def setup(self): if self.requestedAction == admin.ACTION_EDIT: for arg in ['field_1', 'field_2_boolean', 'field_3']: self.supportedArgs.addOptArg(arg) def handleList(self, confInfo): confDict = self.readConf("appsettings") if None != confDict: for stanza, settings in confDict.items(): for key, val in settings.items(): if key in ['field_2_boolean']: if int(val) == 1: val = '0' else: val = '1' if key in ['field_1'] and val in [None, '']: val = '' confInfo[stanza].append(key, val) def handleEdit(self, confInfo): name = self.callerArgs.id args = self.callerArgs if int(self.callerArgs.data['field_3'][0]) < 60: self.callerArgs.data['field_3'][0] = '60' if int(self.callerArgs.data['field_2_boolean'][0]) == 1: self.callerArgs.data['field_2_boolean'][0] = '0' else: self.callerArgs.data['field_2_boolean'][0] = '1' if self.callerArgs.data['field_1'][0] in [None, '']: self.callerArgs.data['field_1'][0] = ''
self.writeConf('appsettings', 'setupentity', self.callerArgs.data) admin.init(ConfigApp, admin.CONTEXT_NONE)

0 Karma

LukeMurphey
Champion

You can bypass the setup screen by setting is_configured to true in app.conf. To do so, open etc/apps/Splunk_CiscoSecuriySuite/local/app.conf (or create it if it does not exist) and enter the following:

[install]
is_configured = true

You may need to restart Splunk after editing the config file. Splunk won't force you to view the setup screen once it recognizes the app is considered configured.

LukeMurphey
Champion

What version of Splunk are you using (e.g. 4.2 build 96430)?

Also, could you provide the build number of the Cisco Security Suite app? You can find the build number in the file at etc/apps/Splunk_CiscoSecuriySuite/default/app.conf under the install stanza:

[install]
state = enabled
is_configured = false
build = 96430

jgauthier
Contributor

Absolutely. This is a windows 2008 R2 x64 server.
I am willing to work with you to identify/resolve if needed. I am pretty flexible.

0 Karma

LukeMurphey
Champion

Could you be so kind to let me know what platform (Linuz, Mac, etc.) you are on? I want to replicate the issue so that I can fix it and am wondering if this retains to a particular platform.

0 Karma

jgauthier
Contributor

I upgraded to splunk 4.2 build 96430. The only other apps I have installed are Splunk for Nagios, the Cisco for Firewalls (for the extraction bits), and the splunk license usage.

I did verify the error appears with this build, too.
Understanding that its benign, how do I use the app? Everytime I go to the app, it tells me it needs to be configured. So, I try to save, and an endless circle ensues!

Thanks!

0 Karma

LukeMurphey
Champion

Do have any of the other Cisco apps or the MaxMind app installed?

I just tried the same version of the Cisco Security Suite on 4.1.7 with no apps installed and it worked fine for me. I'm wondering if some app or combination of apps triggers the problem.

Like dmitri4splunk said, that error is benign. Nevertheless, it would be nice if we could get that fixed.

0 Karma

jgauthier
Contributor

Splunk 4.1.7 build 95063.
Security Suite:

build = 96705

I downloaded Splunk last week. I bet I need to be using 4.2. I'm not sure why I have 4.1!

0 Karma

dmitrii4splunk
Engager

Hi,

  1. There should be a hyperlink on Setup page that will take you to version 1.0.0 of Cisco Security Suite (http://splunkbase.splunk.com/apps/All/4.x/Suite/app:Cisco+Security+Suite)

  2. The error that you see should be benign.

  3. What version of Splunk are you on?

-Dmitrii

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...