https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-am-I-getting-this-error-message/m-p/344051#M3267 <P>Hmm, this indicates you are a cloud customer. If that is the case email me your info jwelch @ splunk dot com.</P> <P>I will take a look for you.</P> <P>Otherwise, if I am missing something here, we log the success or failure of a download in the threatlist.log in /opt/splunk/var/log/splunk</P> <P>index=_internal source =*threatlist.log alexa</P> <P>This could be related to a previous failure and now it is successful, and you are hitting the bug I was talking about, which I did not think affected 4.2.0</P> <P>Or it really is failing and I need to see why from the backend.</P> <P>If you are not a cloud customer you could try this from your SH</P> <P>wget <A href="https://s3.amazonaws.com/alexa-static/top-1m.csv.zip">https://s3.amazonaws.com/alexa-static/top-1m.csv.zip</A>? to determine if you have success.</P> <P>Let me know here or via email how I can help</P> Fri, 10 Mar 2017 13:46:43 GMT jwelch_splunk 2017-03-10T13:46:43Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-am-I-getting-this-error-message/m-p/344044#M3260 <P>Splunk Enterprise Security: why am I getting this error message?</P> <PRE><CODE>msg="A threat intelligence download has failed" stanza="alexa_top_one_million_sites" status="threat list download failed after multiple retries" </CODE></PRE> Thu, 09 Mar 2017 14:41:47 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-am-I-getting-this-error-message/m-p/344044#M3260 emmanuelpeter 2017-03-09T14:41:47Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-am-I-getting-this-error-message/m-p/344045#M3261 <P>Can you access the URL: <A href="https://s3.amazonaws.com/alexa-static/top-1m.csv.zip">https://s3.amazonaws.com/alexa-static/top-1m.csv.zip</A>? This is where the Alexa Top Million is hosted. Personally, I can, so I know they haven't shut down the Alext top million (like happened a few months back and presumably will happen again). It's possible that your Splunk ES Search Head can't access that URL itself, blocked by a content filter or web proxy in your network somewhere. If you don't use the Alexa Top Million, you could just disable the input.</P> Thu, 09 Mar 2017 17:28:14 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-am-I-getting-this-error-message/m-p/344045#M3261 mparks11 2017-03-09T17:28:14Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-am-I-getting-this-error-message/m-p/344046#M3262 <P>You could also be hitting a bug.<BR /> What version of ES are you running? </P> Fri, 10 Mar 2017 05:07:41 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-am-I-getting-this-error-message/m-p/344046#M3262 jwelch_splunk 2017-03-10T05:07:41Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-am-I-getting-this-error-message/m-p/344047#M3263 <P>I'm currently running Splunk Version 6.4.1.2<BR /> what sort of bug could that be?</P> Fri, 10 Mar 2017 10:48:11 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-am-I-getting-this-error-message/m-p/344047#M3263 emmanuelpeter 2017-03-10T10:48:11Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-am-I-getting-this-error-message/m-p/344048#M3264 <P>I can access the CSV.Zip, but how can I check to see if my search head can access it. Thanks</P> Fri, 10 Mar 2017 10:53:18 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-am-I-getting-this-error-message/m-p/344048#M3264 emmanuelpeter 2017-03-10T10:53:18Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-am-I-getting-this-error-message/m-p/344049#M3265 <P>What version of ES are you running</P> Fri, 10 Mar 2017 11:50:50 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-am-I-getting-this-error-message/m-p/344049#M3265 jwelch_splunk 2017-03-10T11:50:50Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-am-I-getting-this-error-message/m-p/344050#M3266 <P>currently is 4.2.0</P> Fri, 10 Mar 2017 12:21:55 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-am-I-getting-this-error-message/m-p/344050#M3266 emmanuelpeter 2017-03-10T12:21:55Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-am-I-getting-this-error-message/m-p/344051#M3267 <P>Hmm, this indicates you are a cloud customer. If that is the case email me your info jwelch @ splunk dot com.</P> <P>I will take a look for you.</P> <P>Otherwise, if I am missing something here, we log the success or failure of a download in the threatlist.log in /opt/splunk/var/log/splunk</P> <P>index=_internal source =*threatlist.log alexa</P> <P>This could be related to a previous failure and now it is successful, and you are hitting the bug I was talking about, which I did not think affected 4.2.0</P> <P>Or it really is failing and I need to see why from the backend.</P> <P>If you are not a cloud customer you could try this from your SH</P> <P>wget <A href="https://s3.amazonaws.com/alexa-static/top-1m.csv.zip">https://s3.amazonaws.com/alexa-static/top-1m.csv.zip</A>? to determine if you have success.</P> <P>Let me know here or via email how I can help</P> Fri, 10 Mar 2017 13:46:43 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-am-I-getting-this-error-message/m-p/344051#M3267 jwelch_splunk 2017-03-10T13:46:43Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-am-I-getting-this-error-message/m-p/344052#M3268 <P>I've dropped you an email. please do let me know if you receive it.</P> Fri, 10 Mar 2017 15:03:39 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-am-I-getting-this-error-message/m-p/344052#M3268 emmanuelpeter 2017-03-10T15:03:39Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-am-I-getting-this-error-message/m-p/344053#M3269 <P>Looks like jwelch beat me to the punch! </P> <PRE><CODE>wget <A href="https://s3.amazonaws.com/alexa-static/top-1m.csv.zip" target="test_blank">https://s3.amazonaws.com/alexa-static/top-1m.csv.zip</A> </CODE></PRE> Fri, 10 Mar 2017 15:46:40 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-am-I-getting-this-error-message/m-p/344053#M3269 mparks11 2017-03-10T15:46:40Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-am-I-getting-this-error-message/m-p/344054#M3270 <P>We ended up working this issue from a support perspective, and this was related to specific configs within the customers ENV. If customer wishes to share our findings he can note that here.</P> <P>Having said that under normal circumstances, using wget to validate connectivity from SH to source is a good first start to understand why the download is failing.</P> Fri, 10 Mar 2017 16:40:17 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-am-I-getting-this-error-message/m-p/344054#M3270 jwelch_splunk 2017-03-10T16:40:17Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-am-I-getting-this-error-message/m-p/344055#M3271 <P><A href="https://answers.splunk.com/answers/606997/a-threat-intelligence-download-has-failedstatusthr-1.html?childToView=608146#answer-608146">https://answers.splunk.com/answers/606997/a-threat-intelligence-download-has-failedstatusthr-1.html?childToView=608146#answer-608146</A></P> Wed, 03 Jan 2018 07:50:20 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-am-I-getting-this-error-message/m-p/344055#M3271 risgupta 2018-01-03T07:50:20Z