The initial config comes back with the message:
Encountered the following error while trying to update: In handler 'localapps': Error while posting to url=/servicesNS/nobody/optiv_threat_intel/saved/searches/Optiv%20Threat%20List%20Hit%20on%20Destination%20IP%20Email%20Alert%20-%20Index%201
Any clue what I did wrong here?
Thx a lot
Dev here- are you editing the saved search as admin? If this issue persists please try restarting Splunk. Otherwise you can edit the search in optiv_threat_intel/default, then copy the stanza you want and paste it into local and make your changes there.
I am having the same issue, I have tried restarting Splunk and making changes in the stanza. It still takes me back to the setup page and same error every time.
I have even tried installing it on a different search head. Any ideas?
Can you let me know what config file would be updated during the initial configuration so I can update them manually. I know the macro.conf file would be updated with the three indexes but I am not sure what file gets updated with the alert configuration in the initial configuration.
Maybe I can manually update this file and get past the configuration page to actually be able to see what the app looks like.
Update macros.con with your index names in local:
[network_index_one] disabled = 0 definition = index=pan_logs
Create app.conf in local:
[default] [install] is_configured = 1
Create savedsearches.conf in local:
[Optiv Threat List Hit on Destination IP Email Alert - Index 1] disabled = 0 action.email.to = email@example.com cron_schedule = 35 2,14 * * *