Getting Data In

Optiv Threat Intel: After initial configuration, getting "Error while posting to url=/servicesNS/nobody/optiv_threat_intel/saved/searches/...."

marcuspauli
New Member

Hello world,

The initial config comes back with the message:

Encountered the following error while trying to update: In handler 'localapps': Error while posting to url=/servicesNS/nobody/optiv_threat_intel/saved/searches/Optiv%20Threat%20List%20Hit%20on%20Destination%20IP%20Email%20Alert%20-%20Index%201

Any clue what I did wrong here?

Thx a lot
Marcus

0 Karma

joni73
Explorer

FYI this error is still there (for me at least) in v. 3.20
alt text

0 Karma

derekarnold
Communicator

Dev here- are you editing the saved search as admin? If this issue persists please try restarting Splunk. Otherwise you can edit the search in optiv_threat_intel/default, then copy the stanza you want and paste it into local and make your changes there.
Good luck.

0 Karma

Makinde
New Member

Hi Derek,

I am having the same issue, I have tried restarting Splunk and making changes in the stanza. It still takes me back to the setup page and same error every time.

I have even tried installing it on a different search head. Any ideas?

0 Karma

Makinde
New Member

Hi Derek,

Can you let me know what config file would be updated during the initial configuration so I can update them manually. I know the macro.conf file would be updated with the three indexes but I am not sure what file gets updated with the alert configuration in the initial configuration.

Maybe I can manually update this file and get past the configuration page to actually be able to see what the app looks like.

Thanks,

0 Karma

derekarnold
Communicator

Update macros.con with your index names in local:
Example:

[network_index_one]
disabled = 0
definition = index=pan_logs

Create app.conf in local:
Example

[default]

[install]
is_configured = 1

Create savedsearches.conf in local:

[Optiv Threat List Hit on Destination IP Email Alert - Index 1]
disabled = 0
action.email.to = my_new_security_team@example.com
cron_schedule = 35 2,14 * * *
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...