I'm running VT4Splunk 1.6.0 https://splunkbase.splunk.com/app/6654 It's deployed via the SH Cluster Deployer.
I'm trying to edit the index names, but get a generic error: "Unexpected error when Enabling/Disabling saved searches."
Any ideas?
I open a ticket with VT. Looks like current version have a bug that prevent the add-on to save configuration properly. New version (1.6.1) will be release in the next days.
If you remove the check-mark Enable automatic correlation, do you still receive the error message?
Weird, I disabled that tick mark and made changes to the "Index name". Then hit save. Then reenabled it. Looks...like it worked. I'll do more testing.
I enabled debugging in the app, but it didn't help. The error is generated by vt_validator.py in the validate function. I'm not entirely sure which line in try is throwing the exception.
def validate(self, _, data):
'''Validate method to perform action.'''
try:
self.vt_env = vt_environment.VirusTotalEnv(GetSessionKey().session_key)
enabled = data.get('virustotal_saved_searches_enabled', 1)
for name in self.saved_searches_names:
saved_search = self.vt_env.service.saved_searches[name]
saved_search.update(**{'is_scheduled': enabled}).refresh()
return True
except Exception: # pylint: disable=broad-except
self.put_msg('Unexpected error when Enabling/Disabling saved searches.')
logger.error('Unexpected error when Enabling/Disabling saved searches.')
return False
I'm also having the same error. Spin up test environment I'm not able to test the app. Any help will be appreciated.