All Apps and Add-ons

IP Reputation App: Why do I keep getting "Search is waiting for input"?

coldhands
New Member

I have my router sending syslog data to splunk server. Search and Reporting is populating syslog data in real-time with no issue. Now I have installed IP-Reputation app and I keep getting Search is waiting for input. Are there any configurations needed to populate data through the IP Reputation app?.

0 Karma

davparker
Explorer

Yeah, I get nothing as well. I followed the procedures outlined.
Do I need to tweak it for my indexes?
Or, do I need to modify "tag=network tag=communicate action=allowed"?
Does Python need to be installed separately? If so, which version?
How do we go about troubleshooting?

I've got other apps installed and working. I'm pulling in syslog data from iptables firewall with logging on all the acls.
I'm also pulling in data from Meraki APs and a Synology NAS,

Thanks,
David

0 Karma

coldhands
New Member
<form>
  <label>Threat Map Overview</label>

  <row>
    <html>
      <h3>How it works</h3>
      <p>This page visualizes the geo information of blacklisted IP's which have been found in your machine data. Filter down if requiered. </p> 
      <p>Search Command executed: </p>
      <p><pre> <b>$filter$</b> | iplocation <b>$lookupfield$</b> | lookup threatscore clientip as <b>$lookupfield$</b>| where threatscore>0 | geostats count by threatscore</pre></p>
    </html>
  </row>

  <fieldset autoRun="false" submitButton="true">
    <input type="time" searchWhenChanged="true">
      <default>Last 24 hours</default>
    </input>

    <input type="text" token="filter">
      <label>Filter-Search</label>
      <default>eventtype=ip_check</default>
    </input>
    <input type="text" token="lookupfield">
      <label>IP-Address Field to lookup:</label>
      <default>dst_ip</default>
    </input>

  </fieldset>

  <row>
    <map>
      <title>Threat Map</title>
      <searchString>$filter$ | iplocation $lookupfield$ | lookup threatscore clientip as $lookupfield$ | where threatscore>0 | geostats count by threatscore</searchString>
      <option name="height">400px</option>

      <!-- use custom colors -->
      <option name="mapping.seriesColors">[0x5379af,0x9ac23c,0xf7902b,0x956d95,0x6ab7c7,0xd85d3c,0xfac51c,0xdd86af]</option>

      <!-- adjust marker opacity and size range -->
      <option name="mapping.markerLayer.markerOpacity">0.8</option>
      <option name="mapping.markerLayer.markerMinSize">10</option>
      <option name="mapping.markerLayer.markerMaxSize">60</option>

      <!-- set initial map center and zoom level -->
      <option name="mapping.map.center">(30.810646,-10.556976)</option>
      <option name="mapping.map.zoom">2</option>
    </map>
  </row>
</form>
0 Karma

coldhands
New Member

I am still getting the same message "Search is waiting for input".

0 Karma

Lazarix
Communicator

Check the XML for the dashboard you are looking at, and ensure that

the latestTime tags

are populated with something such as
<latestTime>now</latestTime>

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...