Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Getwatchlist: curl command timing out in Splun...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Getwatchlist: curl command timing out in Splunk Cloud
Hi there.
Our Security team requested this app, so we'd like to give it a try. We're in Splunk Cloud (managed, multi-tier, clustered, v8.0).
Splunk Cloud Support installed the app and the script (and presumably curl call) appears to be getting executed successfully, but we get the following error message:
06-19-2020 18:03:47.502 ERROR script - sid:1592589699.48204_791B8AB7-1DA7-4625-BB26-A1D7AF2DC563 command="getwatchlist", Error fetching watch list: <urlopen error [Errno 110] Connection timed out>
They suggested I post a request to the developer of the app, which I'm quoting below:
All i can see is that on the Python script there is a dictionary created to start the request (a post i guess) to the URL, the port set is 8080, perhaps that might be the issue.
However we cannot do changes at script level, and even more, because this is app is not supported.
I suggest you to contact the app developers, check the port or network needs that have to be set according to the error you are receiving and see if something has to be adjusted in our side,
[...] Splunk Technical Support
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
https://github.com/datamann119/getwatchlist
I updated the Python script so it works with Python3 on 8.x.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am also a Cloud customer and can't run getwatchlist there either. So I have to run the addon on a Heavy Forwarder on-prem put the data in an index. I just finished re-writing it so it runs on 8.0.5 with Python3. I just came here looking for a repo where I could post, but it doesn't look like it's in a Github repo. Let me know if you need a copy that runs in 8.x and I'll send it to you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update from Splunk Cloud regarding question about open ports "by default" and "by request":
On Search head:
By default the following ports are open to the world, unless you provided an ip to restrict access to that one,
80
443
8089
On indexers:
443
8089
9997
Inputs data manager
80
443
8089
On search head and indexers, ports other than the default are not allowed; it is possible, however, to open addition al ports on the inputs data manager (IDM) instance. Note: The IDM instance is not a SHC member, so writing lookups to IDM does not make them available on (in) Splunk Cloud SHC.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
