All Apps and Add-ons

iSight Partners ThreatScape app not receiving any data

ng87
Path Finder

I have installed the iSight Partners ThreatScape app in Splunk ( latest version ) however i am not getting any data for the app.
The app has been installed correctly as i can see the indexes the app has created. I have also set the correct API keys and selected all the feeds i need.
I thought it may be a proxy issue however the host is able to connect to api.isightpartners.com without an issue.
The app has now been installed for more than a day and the index remains empty. Is there any way to 'debug' an app or view app specific logs?

0 Karma
1 Solution

ng87
Path Finder

got it working by changing the script path in inputs.conf ( app specific ) to [script://$SPLUNK_HOME\etc\apps\iSIGHTPartners_ThreatScape_App\bin\fetch_indicators.py 15]

View solution in original post

0 Karma

ng87
Path Finder

got it working by changing the script path in inputs.conf ( app specific ) to [script://$SPLUNK_HOME\etc\apps\iSIGHTPartners_ThreatScape_App\bin\fetch_indicators.py 15]

0 Karma

ng87
Path Finder

Worth mentioning that my Splunk Instance is running on Windows ( Dev instance ) .

0 Karma

ng87
Path Finder

I think i tracked down the error in the logs which appears to be :
04-04-2017 12:33:05.524 +0100 ERROR FrameworkUtils - Incorrect path to script: .\bin\fetch_indicators.py. Script must be located inside $SPLUNK_HOME\bin\scripts.
04-04-2017 12:33:05.524 +0100 ERROR ExecProcessor - Ignoring: ".\bin\fetch_indicators.py 15"
04-04-2017 12:33:05.524 +0100 ERROR FrameworkUtils - Incorrect path to script: .\bin\fetch_iocs.py. Script must be located inside $SPLUNK_HOME\bin\scripts.
04-04-2017 12:33:05.524 +0100 ERROR ExecProcessor - Ignoring: ".\bin\fetch_iocs.py 15"
04-04-2017 12:33:05.524 +0100 ERROR FrameworkUtils - Incorrect path to script: .\bin\fetch_vulnerabilities.py. Script must be located inside $SPLUNK_HOME\bin\scripts.
04-04-2017 12:33:05.524 +0100 ERROR ExecProcessor - Ignoring: ".\bin\fetch_vulnerabilities.py 15"

Those scripts its trying to launch are located in the splunk_home\etc\apps\iSIGHTPartners_ThreatScape_App\bin

I have registered the paths using splunks envars command/batch script.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!