All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to resolve VirusTotal app on Splunk giving search error?

jayanth221
New Member
‎04-15-2020 11:05 PM

Recently installed Virustotal app on my splunk https://splunkbase.splunk.com/app/4283/
COmpleted initial app setup with VT token
When i come back to search and execute | virustotal command i receive below error
"VirusTotal Command: No field specified for matching. Specify one of 'hash=', 'ip=', 'url=', or 'domain=' and try again."

I modify my search query as | virustotal ip="8.8.8.8"
received error Illegal value: ip=8.8.8.8

Some background information
- Version of VirusTotal TA you're using - 2.0.0
- Whether the Splunk instance you installed it on is Splunk Cloud or on-premises- on-prem
- Version of Splunk - 7.3.4
- Type of Splunk instance (e.g. Search Head, Indexer, Heavy Forwarder, All-In-One) - Search Head
- Does your environment require a proxy to call out to the internet - Yes

Could some advice how this can be resolved ?

Labels (1)
Labels
0 Karma
Reply

haoliveiramb
New Member
‎04-11-2022 10:27 AM

Hi @jayanth221,

The correct syntax of command if "| virustotal url=field" and "field" in your event search result have a value of URL to search against Virustotal API

Something like this:

| makeresults | eval site="https://www.google.com"
| rename site as url
| virustotal url=url

The app queries API to the value of the site filed and returns data about it.

Well, you can search for a specific IP value, but you will use a makeresults command and put the value on the field:

| makeresults
| eval ip="8.8.8.8"
| virustotal ip=ip

 

Regards,

0 Karma
Reply

dbroggy
Path Finder
‎01-25-2023 02:06 PM

Doesn't seem to work anymore.

might need a flag option for ssl_verify=false (or something more secure 🙂 )

AttributeError at "/opt/splunk/etc/apps/TA-VirusTotal/bin/virustotal.py", line 508 : 'SSLError' object has no attribute 'message'

 

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...