Closed redNixon closed 3 years ago
Oops, this is what happens when I blindly assume upgrades are backwards compatible. Will look into this today.
Should be fixed here: https://github.com/clong/DetectionLab/commit/7778de6190c462e0846991158561d8a2ea13b6ff
The threathunting dashboard in Splunk appears to no longer be showing any data and is instead giving errors about a missing index/macro. From what I can tell it was introduce by #616 after changing it upgraded the threathunting tarball to v1492. The new version has a number of changes that look similar to this where the index name has been changed as well as wrapped in quoutes:
The dashboard components show all errors referencing this new name some, example:
"Error in 'SearchParser': The search specifies a macro 'threathunting_index' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information."
The (old?) threathunting index is present in splunk and is getting data sent into it still, changing a few of the page's source back to the original version index pattern made the app seemed to work again.