All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to resolve VirusTotal app on Splunk giving search error?

jayanth221
New Member
‎04-15-2020 11:05 PM

Recently installed Virustotal app on my splunk https://splunkbase.splunk.com/app/4283/
COmpleted initial app setup with VT token
When i come back to search and execute | virustotal command i receive below error
"VirusTotal Command: No field specified for matching. Specify one of 'hash=', 'ip=', 'url=', or 'domain=' and try again."

I modify my search query as | virustotal ip="8.8.8.8"
received error Illegal value: ip=8.8.8.8

Some background information
- Version of VirusTotal TA you're using - 2.0.0
- Whether the Splunk instance you installed it on is Splunk Cloud or on-premises- on-prem
- Version of Splunk - 7.3.4
- Type of Splunk instance (e.g. Search Head, Indexer, Heavy Forwarder, All-In-One) - Search Head
- Does your environment require a proxy to call out to the internet - Yes

Could some advice how this can be resolved ?

Labels (1)
Labels
0 Karma
Reply

haoliveiramb
New Member
‎04-11-2022 10:27 AM

Hi @jayanth221,

The correct syntax of command if "| virustotal url=field" and "field" in your event search result have a value of URL to search against Virustotal API

Something like this:

| makeresults | eval site="https://www.google.com"
| rename site as url
| virustotal url=url

The app queries API to the value of the site filed and returns data about it.

Well, you can search for a specific IP value, but you will use a makeresults command and put the value on the field:

| makeresults
| eval ip="8.8.8.8"
| virustotal ip=ip

 

Regards,

0 Karma
Reply

dbroggy
Path Finder
‎01-25-2023 02:06 PM

Doesn't seem to work anymore.

might need a flag option for ssl_verify=false (or something more secure 🙂 )

AttributeError at "/opt/splunk/etc/apps/TA-VirusTotal/bin/virustotal.py", line 508 : 'SSLError' object has no attribute 'message'

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...