All Apps and Add-ons

Getwatchlist: curl command timing out in Splunk Cloud

Communicator

Hi there. 

Our Security team requested this app, so we'd like to give it a try. We're in Splunk Cloud (managed, multi-tier, clustered, v8.0).

Splunk Cloud Support installed the app and the script (and presumably curl call) appears to be getting executed successfully, but we get the following error message:

06-19-2020 18:03:47.502 ERROR script - sid:1592589699.48204_791B8AB7-1DA7-4625-BB26-A1D7AF2DC563 command="getwatchlist", Error fetching watch list: <urlopen error [Errno 110] Connection timed out>

They suggested I post a request to the developer of the app, which I'm quoting below:

Mon 6/22/2020 9:37 AM
 
 
[...]
All i can see is that on the Python script there is a dictionary created to start the request (a post i guess) to the URL, the port set is 8080, perhaps that might be the issue.

However we cannot do changes at script level, and even more, because this is app is not supported.

I suggest you to contact the app developers, check the port or network needs that have to be set according to the error you are receiving and see if something has to be adjusted in our side,

[...] Splunk Technical Support
 
Is there a specific configuration request we should make of Splunk Cloud Support to allow the curl call not to timeout?
 
Thanks in advance.
Labels (2)

Engager

https://github.com/datamann119/getwatchlist

 

I updated the Python script so it works with Python3 on 8.x.

Builder

I am also a Cloud customer and can't run getwatchlist there either. So I have to run the addon on a Heavy Forwarder on-prem put the data in an index. I just finished re-writing it so it runs on 8.0.5 with Python3. I just came here looking for a repo where I could post, but it doesn't look like it's in a Github repo. Let me know if you need a copy that runs in 8.x and I'll send it to you.

Communicator

Update from Splunk Cloud regarding question about open ports "by default" and "by request":

On Search head:
By default the following ports are open to the world, unless you provided an ip to restrict access to that one,
80
443
8089

On indexers:
443
8089
9997

Inputs data manager
80
443
8089

On search head and indexers, ports other than the default are not allowed; it is possible, however, to open addition al ports on the inputs data manager (IDM) instance.  Note: The IDM instance is not a SHC member, so writing lookups to IDM does not make them available on (in) Splunk Cloud SHC.