All Apps and Add-ons

Getwatchlist: curl command timing out in Splunk Cloud


Hi there. 

Our Security team requested this app, so we'd like to give it a try. We're in Splunk Cloud (managed, multi-tier, clustered, v8.0).

Splunk Cloud Support installed the app and the script (and presumably curl call) appears to be getting executed successfully, but we get the following error message:

06-19-2020 18:03:47.502 ERROR script - sid:1592589699.48204_791B8AB7-1DA7-4625-BB26-A1D7AF2DC563 command="getwatchlist", Error fetching watch list: <urlopen error [Errno 110] Connection timed out>

They suggested I post a request to the developer of the app, which I'm quoting below:

Mon 6/22/2020 9:37 AM
All i can see is that on the Python script there is a dictionary created to start the request (a post i guess) to the URL, the port set is 8080, perhaps that might be the issue.

However we cannot do changes at script level, and even more, because this is app is not supported.

I suggest you to contact the app developers, check the port or network needs that have to be set according to the error you are receiving and see if something has to be adjusted in our side,

[...] Splunk Technical Support
Is there a specific configuration request we should make of Splunk Cloud Support to allow the curl call not to timeout?
Thanks in advance.
Labels (2)



I updated the Python script so it works with Python3 on 8.x.


I am also a Cloud customer and can't run getwatchlist there either. So I have to run the addon on a Heavy Forwarder on-prem put the data in an index. I just finished re-writing it so it runs on 8.0.5 with Python3. I just came here looking for a repo where I could post, but it doesn't look like it's in a Github repo. Let me know if you need a copy that runs in 8.x and I'll send it to you.


Update from Splunk Cloud regarding question about open ports "by default" and "by request":

On Search head:
By default the following ports are open to the world, unless you provided an ip to restrict access to that one,

On indexers:

Inputs data manager

On search head and indexers, ports other than the default are not allowed; it is possible, however, to open addition al ports on the inputs data manager (IDM) instance.  Note: The IDM instance is not a SHC member, so writing lookups to IDM does not make them available on (in) Splunk Cloud SHC.

Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...