Archive
Highlighted

Optiv Threat Intel: How to troubleshoot why there is no data populating in the app in a search head cluster?

New Member

I installed the Optiv Threat Intel app on a search head cluster, but data is not populating. Additionally, I added the optiv index to the peer indexers as well. However, I'm still not getting threat data. Index has only 1 event from running the troubleshoot link in the app and it has been several hours. Anyone else have issues with this app on a cluster? Did I miss something?

0 Karma
Highlighted

Re: Optiv Threat Intel: How to troubleshoot why there is no data populating in the app in a search head cluster?

Communicator

jroark, would it be possible to post the latest script log file?
It would look something like this:

/opt/splunk/var/log/splunk/optivthreatlists_script11-09-2015-10-14-37.log

What does the 1 event showing up on the Troubleshooting page say?

What platform is this? Linux/Windows?,jroark, Would it be possible to post the most recent script log file?
It would look something like: /opt/splunk/var/log/splunk/optivthreatlists_script11-09-2015-10-14-37.log

What is the 1 event on the troubleshoot screen?

What platform is this? Linux/Windows?

View solution in original post

Highlighted

Re: Optiv Threat Intel: How to troubleshoot why there is no data populating in the app in a search head cluster?

New Member

After posting I looked at the troubleshooting log again and realized my install of splunk isn't on the standard /opt/splunk. Adding a symlink fixed the issue and threats started to populate. Error was on my end.

0 Karma
Highlighted

Re: Optiv Threat Intel: How to troubleshoot why there is no data populating in the app in a search head cluster?

New Member

Can you please provide the command or commands you used to resolve this issue. My Splunk installation is also not in the standard /opt/splunk. Thank you.

0 Karma
Highlighted

Re: Optiv Threat Intel: How to troubleshoot why there is no data populating in the app in a search head cluster?

Communicator

I can't answer how to set up a symlink, but I did to a find in files in my app and if you find and replace these lines with the path of your Splunk installation you should be set:

grep -rnw '.' -e "/opt/splunk"
./bin/getalerts.py:38: splunkhome = '/opt/splunk'
./bin/starter
script.sh:5:THREATSCRIPTPATH="/opt/splunk/etc/apps/optivthreatintel/bin/optivthreatlists.py"
./bin/starterscript.sh:6:RSSSCRIPTPATH="/opt/splunk/etc/apps/optivthreatintel/bin/getalerts.py"
./bin/starter
script.sh:7:#LOGFOLDER="/opt/splunk/etc/apps/optivthreatintel/bin/"
./bin/starter
script.sh:8:LOGFOLDER="/opt/splunk/var/log/splunk/"
./bin/starter
script.sh:9:PYTHON="/opt/splunk/bin/splunk cmd python"
./bin/optivthreatlists.py:64: splunk_home = '/opt/splunk'

wherever it says /opt/splunk, sub in your path.

0 Karma
Highlighted

Re: Optiv Threat Intel: How to troubleshoot why there is no data populating in the app in a search head cluster?

Path Finder

Did you have to create an index for the Optiv Threat Intel list?

0 Karma
Highlighted

Re: Optiv Threat Intel: How to troubleshoot why there is no data populating in the app in a search head cluster?

Communicator

index=optiv is created by the file default/indexes.conf
the index name can be adjusted there. if you do so make sure and change the optiv_index definition in macros.conf as well.

0 Karma
Highlighted

Re: Optiv Threat Intel: How to troubleshoot why there is no data populating in the app in a search head cluster?

Path Finder

Index Optiv is there and my setup is the default /opt/splunk. I see the log files in /opt/splunk/var/log/splunk/optiv_*.log, howevere the input is not pulling the files into Splunk index optiv. I am running on a redhat server.
Here is my input.conf

[monitor:///opt/splunk/var/log/splunk/optiv_*.log]
ignoreOlderThan=3d
crcSalt=
index=optiv
sourcetype=optiv_threat_list
disabled=0

Any help would be apreciated, Thanks

0 Karma
Highlighted

Re: Optiv Threat Intel: How to troubleshoot why there is no data populating in the app in a search head cluster?

Communicator

John,
I am showing a different inputs.conf in my 2.80 directory. This is what I have:

[monitor://$SPLUNK_HOME\var\log\splunk\optiv_*.log]
ignoreOlderThan=3d
crcSalt=<SOURCE>
index=optiv
sourcetype=optiv_threat_list
disabled=0

[script://./bin/starter_script.sh]
#[script://$SPLUNK_HOME/etc/apps/optiv_threat_intel/bin/starter_script.sh]
#8 hours
interval=28800
#interval=300
index=optiv
disabled=0

In your stanza listed above we're missing a key/value pair for crcSalt. Should we try blowing away the app and a clean reinstall with the latest version?

Also, what does the Troubleshooting section of the app show?

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.