Solved: Splunk Enterprise Security: Why can't I create an ...

abalogh_splunk · ‎04-10-2017

We have just upgraded Splunk Enterprise 6.4.1 / Splunk Enterprise Security 4.1.1 to Splunk Enterprise 6.5.2 with Splunk Enterprise Security 4.5.2.

When I try to create an Ad-Hoc Notable Event I get the following error in the UI:

Failed to create notable event: Not Found

Firefox Debug:
https://splunk-es/en-US/splunkd/__raw/services/alerts/modaction_adhoc [HTTP/1.1 404 Not Found 16ms]

abalogh_splunk · ‎04-10-2017

Answering my own question for documentation purposes.

Make sure you have upgrade Splunk_SA_CIM as well since modaction_adhoc has been moved into Splunk_SA_CIM in later versions. Former installation was running CIM 4.3.1, upgraded to 4.6.0 and it solved the issue.

View solution in original post

abalogh_splunk · ‎04-10-2017

Answering my own question for documentation purposes.

Make sure you have upgrade Splunk_SA_CIM as well since modaction_adhoc has been moved into Splunk_SA_CIM in later versions. Former installation was running CIM 4.3.1, upgraded to 4.6.0 and it solved the issue.

Splunk Enterprise Security: Why can't I create an ad-hoc notable event after upgrade?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...