Hi there.
Our Security team requested this app, so we'd like to give it a try. We're in Splunk Cloud (managed, multi-tier, clustered, v8.0).
Splunk Cloud Support installed the app and the script (and presumably curl call) appears to be getting executed successfully, but we get the following error message:
06-19-2020 18:03:47.502 ERROR script - sid:1592589699.48204_791B8AB7-1DA7-4625-BB26-A1D7AF2DC563 command="getwatchlist", Error fetching watch list: <urlopen error [Errno 110] Connection timed out>
They suggested I post a request to the developer of the app, which I'm quoting below:
https://github.com/datamann119/getwatchlist
I updated the Python script so it works with Python3 on 8.x.
I am also a Cloud customer and can't run getwatchlist there either. So I have to run the addon on a Heavy Forwarder on-prem put the data in an index. I just finished re-writing it so it runs on 8.0.5 with Python3. I just came here looking for a repo where I could post, but it doesn't look like it's in a Github repo. Let me know if you need a copy that runs in 8.x and I'll send it to you.
Update from Splunk Cloud regarding question about open ports "by default" and "by request":
On Search head:
By default the following ports are open to the world, unless you provided an ip to restrict access to that one,
80
443
8089
On indexers:
443
8089
9997
Inputs data manager
80
443
8089
On search head and indexers, ports other than the default are not allowed; it is possible, however, to open addition al ports on the inputs data manager (IDM) instance. Note: The IDM instance is not a SHC member, so writing lookups to IDM does not make them available on (in) Splunk Cloud SHC.