All Apps and Add-ons

splunk for netwitness not working

gooza
Communicator

Hi,

I'm trying to use the splunk for netwitness app (I'm using splunk on windows) but it is not working with the following error messages:

ERROR: Couldn't execute summary query. Existing...

ERROR: urlopen error [Error 10060] A connection attempt failed because the connected party did not properly respond after a period of time...

took 6.125 seconds to run, 0 bytes read

No New sessions to read

nwsdk.conf file in the local directory configuration:

[rest]
top_level_url=http://10.10.10.1:50105

username=myusername

password=mypassword

last_sid_file=c:\.last_sessionid

no_sid_file=-2 (tried also using 0 here )

no_sid_seconds_back=300

max_meta=50000

write_to_file_every_x=500

I have no problems connecting the netwitness via the web

anyone had any luck with this app ?

0 Karma
1 Solution

rataide
Path Finder

This could possibly be related to IE proxy settings based on the link below

http://stackoverflow.com/questions/2923703/why-cant-i-get-pythons-urlopen-method-to-work

I've successfully run this app on a Windows Splunk instance I do have to say it seems to behave a lot better under *nix.

I hope that helps!

Regards,

Rui

View solution in original post

rataide
Path Finder

Apologies for not being clear. That's the README on the ../bin/ directory, I was referring to the README.txt on the apps' main directory. Just one up from that one.

Its contents start with

'# Splunk/NetWitness REST API Session Meta scripted input
'# Version : 0.9.1
'# Date: 12 Dec 2012

Unfortunately, it's too big to post here.

0 Karma

lmakonnen
New Member

the README.txt file contains only one liner and says
"This is where you put any scripts you want to add to this app."

what do I do with it?

0 Karma

rataide
Path Finder

This could possibly be related to IE proxy settings based on the link below

http://stackoverflow.com/questions/2923703/why-cant-i-get-pythons-urlopen-method-to-work

I've successfully run this app on a Windows Splunk instance I do have to say it seems to behave a lot better under *nix.

I hope that helps!

Regards,

Rui

rataide
Path Finder

Hi Leul,

They should work with any SA/NW version from 9.8.5.9 which was when the REST API was introduced.

The apps have a README.txt file with instructions on how to install. You can download the app package from apps.splunk.com and the file is a .tar.gz so if you rename it most unzip tools will open it and you should be able to access the README.txt file.

Otherwise you can install directly from apps.splunk.com and the README.txt will be in the root of the app folder and you can read it from there. Installing the apps will not automatically trigger any form of collection.

Thank you,

Rui

lmakonnen
New Member

Hi Rui,
I want to send meta data from NetWitness to splunk. I have contacted RSA to obtain documentation that can guide me through, but I was told that they have solution for SA not for the version of NW that I am currently runing.(NextGen 9.8.5.19)

I have not installed the app yet because I am new to this process and did not want to mess up anything. I need some step-by-step instructions that can guide me through the installation.

Your help is greately appreciated.
Thank you,
Leul.

0 Karma

rataide
Path Finder

Hi lmakonnen,

What exactly is your problem? There are several users of the app. If you are using an older version of NetWitness, it could be that the REST port isn't enabled.

Pretty much the process is to install the app and update nwsdk.conf to meet your environment settings. The only thing on NetWitness side is that you need to use the REST port instead of the normal SDK ports.

If you can share more details I should be able to help further.

Thank you,

Rui

lmakonnen
New Member

can you please share the procedurres you followd to integrate NetWitness with Splunk? Thank you .

0 Karma

rataide
Path Finder

Great, glad to hear!

For other reading this thread for version 0.9 a trailing "/" is also needed on the top_level_url setting.

Thank you,

Rui

0 Karma

gooza
Communicator

Thanks , I moved it to the linux machine and it worked from there

0 Karma
Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...