wazuh-dashboard-plugins
wazuh-dashboard-plugins copied to clipboard
Error creating default wazuh-security-events dashboard in Splunk
Wazuh | Rev | Browser |
---|---|---|
4.8.0 | - | - |
Description Community user reported a problem following the guide on Splunk Integration when trying to create a dashboard on Splunk, using the default wazuh-security-events dashboard provided by the guide: https://packages.wazuh.com/integrations/splunk/4.x-9.x/dashboards/wz-sp-4.x-9.x-wazuh-security-events.
Preconditions
- This has been tested originally on Wazuh 4.8.0 and Splunk Enterprise v9.21
Steps to reproduce
- Perform the integration using a universal forwarder as stated in the guide.
- Verify data is being sent to Splunk.
- Create a dashboard for wz-sp-4.x-9.x-wazuh-security-events
Expected Result
- Splunk's dashboard works correctly
Actual Result
- An error
[/inputs/input_global_trp/options]: must NOT have additional properties, [/inputs/input_global_trp]: must match "then" schema
is shown
Screenshots
(Screenshot provided by the user)
Additional context
- There are no errors on
/opt/splunkforwarder/var/log/splunk/splunkd.log
- No modifications were done to the dashboard file
- Reporter: https://github.com/wazuh/community/issues/28505
Proposed workaround From this section here:
"inputs": {
"input_global_trp": {
"type": "input.timerange",
"options": {
"token": "global_time",
"defaultValue": "-60m@m,now",
"queryParameters": {
"latest": "$global_time.latest$",
"earliest": "$global_time.earliest$"
}
},
"title": "Global Time Range"
}
},
Inside inputs.input_global_trp.options
, this should be deleted:
"queryParameters": {
"latest": "$global_time.latest$",
"earliest": "$global_time.earliest$"
}
So the remaining config would look like this:
"inputs": {
"input_global_trp": {
"type": "input.timerange",
"options": {
"token": "global_time",
"defaultValue": "-60m@m,now"
},
"title": "Global Time Range"
}
},