topic Re: Splunk Enterprise Security: Why does the Risk Analysis data model fail to build? in Splunk Enterprise Security

Splunk Enterprise Security: Why does the Risk Analysis data model fail to build?

asimagu — Fri, 17 Mar 2017 14:44:53 GMT

This particular data model (Risk Analysis) that comes with Splunk Enterprise Security is failing to build due to a calculated field that generates from the correlationsearches_lookup.

I believe that the problem lies in the replication bundle not being able to copy/sync from the Search Heads to the Indexers.

So, when I try to use that lookup from the SH, it gives me the following error from each Indexer:

Streamed search execute failed because: Error in 'lookup' command

any ideas about how I could fix the problem with the bundle being transferred from Search Head to Indexers?

Re: Splunk Enterprise Security: Why does the Risk Analysis data model fail to build?

jwelch_splunk — Tue, 29 Sep 2020 13:18:21 GMT

You can't blacklist that file from your bundle on the search head.

To validate the issue:

run
|rest /services/datamodel/acceleration |search title=Risk |fields title search

In the search field copy and paste that entire search to your search bar and run it. You should see your Error.

Then modify the:
" lookup correlationsearches_lookup"
to
"lookup local=true correlationsearches_lookup"

This should now find data.

If this test works as I described it you need to review your distsearch.conf and find where you are blacklisting this this file and fix it.

Okie

Re: Splunk Enterprise Security: Why does the Risk Analysis data model fail to build?

asimagu — Mon, 20 Mar 2017 09:08:36 GMT

are these lines the ones that I should delete/comment from my config file??

## Prevent correlation search list from being replicated via distsearch
## per SOLNESS-6255 these are no longer in use but will continue to be excluded
nocorrelationsearches     = apps[/\\]SA-ThreatIntelligence[/\\]lookups[/\\]correlationsearches.csv

Re: Splunk Enterprise Security: Why does the Risk Analysis data model fail to build?

jwelch_splunk — Mon, 20 Mar 2017 12:35:27 GMT

What version of ES are you running?

Re: Splunk Enterprise Security: Why does the Risk Analysis data model fail to build?

asimagu — Mon, 20 Mar 2017 14:09:49 GMT

4.5.1
is it possible that when someone upgraded the app, forgot to do any manual steps??

Re: Splunk Enterprise Security: Why does the Risk Analysis data model fail to build?

jwelch_splunk — Tue, 29 Sep 2020 13:18:37 GMT

Odd thing is this appears to have been moved to kvstore. Open a support case if you can and provide me the number. I want to make sure we take care of this the right way, I feel like we might be missing something.

Correlation Searches

[correlationsearches_lookup]
external_type = kvstore
collection = correlationsearches
fields_list = _key,security_domain,severity,rule_name,description,rule_title,rule_description,drilldown_name,drilldown_search,drilldown_earliest_offset,drilldown_latest_offset,default_status,default_owner,next_steps,recommended_actions
max_matches = 1

Re: Splunk Enterprise Security: Why does the Risk Analysis data model fail to build?

asimagu — Mon, 20 Mar 2017 15:03:08 GMT

I will try that once they give me access to open support cases. (I'm new here)

Re: Splunk Enterprise Security: Why does the Risk Analysis data model fail to build?

asimagu — Tue, 28 Mar 2017 08:02:53 GMT

I finally opened the Support Case: CASE [465439]

Re: Splunk Enterprise Security: Why does the Risk Analysis data model fail to build?

hazekamp — Mon, 07 Aug 2017 20:13:23 GMT

We are tracking several known causes for lookups not being replicated from SH->Indexer.

If app is disabled. See app.conf
If lookup is a kvstore collection and replicate is set to false. See collections.conf
If lookup has been blacklisted from replication (applies to both csv and kvstore collections). See distsearch.conf.
If distributed search is disabled (often seen in environments that upgraded to index clustering). See distsearch.conf.

David