"Splunk ES Integration for Security Operations" Integration, Security Incidents are not Being Created in the SN Instances as Expected, System Log: Splunk ES: error in transform InternalError: String object has exceeded maximum permitted size of 33554432 - Known Error

"Splunk ES Integration for Security Operations" Integration, Security Incidents are not Being Created in the SN Instances as Expected, System Log: Splunk ES: error in transform InternalError: String object has exceeded maximum permitted size of 33554432 Description Using the "Splunk ES Integration for Security Operations" integration, Security Incidents were not being created in the SN instances as expected.

System node log shows error for affected notable ID(s):

"Splunk ES: error in transform InternalError: String object has exceeded maximum permitted size of 33554432"

With a created timestamp matching the sys_updated_on timestamp in the import table sn_sec_splunkes_event_import for the affected notable ID(s) row(s).

Steps to Reproduce

1. The "Splunk ES Integration for Security Operations" integration runs

2. There is a notable ID inserted into the import set table sn_sec_splunkes_event_import

3. The row shows the following after processing by the transform map "Splunk ES Map Event To Task":

ignored Row transform ignored by onBefore script

4. System log shows "Splunk ES: error in transform InternalError: String object has exceeded maximum permitted size of 33554432" error with the same timestamp as the sys_updated_on in the import set row.

5. After debugging, the root cause is due to the unexpected behavior of the replace function in _buildInputValue function in Splunk ES Script Include file 'SplunkESFieldMapProcessor' (at line 250). This is caused by an unexpected character(s) in the JSON payload received from Splunk in the sn_sec_splunkes_event_import record, e.g. the characters '$&' are in the Notable Event Raw data.

Workaround The attached script include sys_script_include_5eb8a3c10f073300012db8a276767e6f (2).xml replaces the script include "SplunkESFieldMapProcessor" which has the correction to resolve this issue. This can be XML imported into the instance to replace the existing "SplunkESFieldMapProcessor" script include.

The new script handles the unexpected characters so that the error is no longer seen and the import set row will process normally, doing an insert instead of being ignored.

Note the following two things:

+ Ensure that the affected notable ID(s) are created in the past seven days as Splunk ES integration only pulls the notable events which are created in the last seven days.

+ Be sure to delete the import set record from import table sn_sec_splunkes_event_import for the affected notable ID(s), then let Splunk do another import, or start one on demand, this will create a new row(s) in import table sn_sec_splunkes_event_import for the notable ID(s) and the row should insert a new record instead of ignoring as it did before, also the error "Splunk ES: error in transform InternalError: String object has exceeded maximum permitted size of 33554432 " should no longer appear in the system logs.