All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Netwitness API: Authentication failure for search app- but not full sessions app

kprior201_lilly
Path Finder
‎06-25-2019 10:06 AM

When using the search app for RSA Netwitness, I receive the following errors.
However, when I use the non-search version of the app, I have no issues with authentication.
The credentials and environments are exactly the same otherwise. I've tried using the PassAuth and configuration file authentication options, but I get the same results regardless. Any advice? 

ERROR: Check settings in nwsdk_query.conf.
ERROR: Couldn't read authentication details PassAuth or from nwsdk_query.conf.
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rataide
Path Finder
‎06-25-2019 12:37 PM

Hi!

Did you configured them via the UI in both cases? Each app will need it's passwords.conf version and each server uses a different key to encrypt these.

If hard-coded just remove the PassAuth line in inputs.conf. Also could you share the exact error, could it be an issue with the query instead? The non-query version of the app works in a different way retrieving the data based on sessions not on a specific query. The complete equivalent would be:

query=select *

Hope this helps!

Thank you,

Rui

View solution in original post

Reply
Solved! Jump to solution
Solution

rataide
Path Finder
‎06-25-2019 12:37 PM

Hi!

Did you configured them via the UI in both cases? Each app will need it's passwords.conf version and each server uses a different key to encrypt these.

If hard-coded just remove the PassAuth line in inputs.conf. Also could you share the exact error, could it be an issue with the query instead? The non-query version of the app works in a different way retrieving the data based on sessions not on a specific query. The complete equivalent would be:

query=select *

Hope this helps!

Thank you,

Rui

Reply
Solved! Jump to solution

kprior201_lilly
Path Finder
‎06-25-2019 01:04 PM

I did try to configure via UI, but I've reverted to the hard coding for testing at least. I saw in a different post that there may be a SSO issue, so I figured I'd start there.

The query I'm using is exactly the one you mentioned above just so I can verify functionality. I'm trying to work around the issue by creating the filter within Netwitness itself for the time being, but it's not cooperating either (of course). haha.

0 Karma
Reply
Solved! Jump to solution

rataide
Path Finder
‎06-28-2019 02:27 AM

Hell again,

Just wondering if you were able to solve the issue?

Thank you,

Rui

Reply
Solved! Jump to solution

rataide
Path Finder
‎06-25-2019 01:13 PM

Yes, SSO is an issue. If that is the case then hard-coded should work but you need to remove the PassAuth config setting in inputs.conf.

And yes, the approach of controlling with something on the NetWitness side is ideal as on the Splunk side it would require a restart.

So something like below would be ideal

query = select * where alert='Splunk_alert'

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...