- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: splunk for netwitness not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm trying to use the splunk for netwitness app (I'm using splunk on windows) but it is not working with the following error messages:
ERROR: Couldn't execute summary query. Existing...
ERROR: urlopen error [Error 10060] A connection attempt failed because the connected party did not properly respond after a period of time...
took 6.125 seconds to run, 0 bytes read
No New sessions to read
nwsdk.conf file in the local directory configuration:
[rest]
top_level_url=http://10.10.10.1:50105
username=myusername
password=mypassword
last_sid_file=c:\.last_sessionid
no_sid_file=-2 (tried also using 0 here )
no_sid_seconds_back=300
max_meta=50000
write_to_file_every_x=500
I have no problems connecting the netwitness via the web
anyone had any luck with this app ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This could possibly be related to IE proxy settings based on the link below
http://stackoverflow.com/questions/2923703/why-cant-i-get-pythons-urlopen-method-to-work
I've successfully run this app on a Windows Splunk instance I do have to say it seems to behave a lot better under *nix.
I hope that helps!
Regards,
Rui
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Apologies for not being clear. That's the README on the ../bin/ directory, I was referring to the README.txt on the apps' main directory. Just one up from that one.
Its contents start with
'# Splunk/NetWitness REST API Session Meta scripted input
'# Version : 0.9.1
'# Date: 12 Dec 2012
Unfortunately, it's too big to post here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the README.txt file contains only one liner and says
"This is where you put any scripts you want to add to this app."
what do I do with it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This could possibly be related to IE proxy settings based on the link below
http://stackoverflow.com/questions/2923703/why-cant-i-get-pythons-urlopen-method-to-work
I've successfully run this app on a Windows Splunk instance I do have to say it seems to behave a lot better under *nix.
I hope that helps!
Regards,
Rui
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Leul,
They should work with any SA/NW version from 9.8.5.9 which was when the REST API was introduced.
The apps have a README.txt file with instructions on how to install. You can download the app package from apps.splunk.com and the file is a .tar.gz so if you rename it most unzip tools will open it and you should be able to access the README.txt file.
Otherwise you can install directly from apps.splunk.com and the README.txt will be in the root of the app folder and you can read it from there. Installing the apps will not automatically trigger any form of collection.
Thank you,
Rui
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Rui,
I want to send meta data from NetWitness to splunk. I have contacted RSA to obtain documentation that can guide me through, but I was told that they have solution for SA not for the version of NW that I am currently runing.(NextGen 9.8.5.19)
I have not installed the app yet because I am new to this process and did not want to mess up anything. I need some step-by-step instructions that can guide me through the installation.
Your help is greately appreciated.
Thank you,
Leul.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi lmakonnen,
What exactly is your problem? There are several users of the app. If you are using an older version of NetWitness, it could be that the REST port isn't enabled.
Pretty much the process is to install the app and update nwsdk.conf to meet your environment settings. The only thing on NetWitness side is that you need to use the REST port instead of the normal SDK ports.
If you can share more details I should be able to help further.
Thank you,
Rui
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you please share the procedurres you followd to integrate NetWitness with Splunk? Thank you .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great, glad to hear!
For other reading this thread for version 0.9 a trailing "/" is also needed on the top_level_url setting.
Thank you,
Rui
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks , I moved it to the linux machine and it worked from there
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
