I installed the Optiv Threat Intel app on a search head cluster, but data is not populating. Additionally, I added the optiv index to the peer indexers as well. However, I'm still not getting threat data. Index has only 1 event from running the troubleshoot link in the app and it has been several hours. Anyone else have issues with this app on a cluster? Did I miss something?
jroark, would it be possible to post the latest script log file?
It would look something like this:
What does the 1 event showing up on the Troubleshooting page say?
What platform is this? Linux/Windows?,jroark, Would it be possible to post the most recent script log file?
It would look something like: /opt/splunk/var/log/splunk/optivthreatlists_script11-09-2015-10-14-37.log
What is the 1 event on the troubleshoot screen?
What platform is this? Linux/Windows?
After posting I looked at the troubleshooting log again and realized my install of splunk isn't on the standard /opt/splunk. Adding a symlink fixed the issue and threats started to populate. Error was on my end.
Can you please provide the command or commands you used to resolve this issue. My Splunk installation is also not in the standard /opt/splunk. Thank you.
I can't answer how to set up a symlink, but I did to a find in files in my app and if you find and replace these lines with the path of your Splunk installation you should be set:
grep -rnw '.' -e "/opt/splunk"
./bin/getalerts.py:38: splunkhome = '/opt/splunk'
./bin/starterscript.sh:9:PYTHON="/opt/splunk/bin/splunk cmd python"
./bin/optivthreatlists.py:64: splunk_home = '/opt/splunk'
wherever it says /opt/splunk, sub in your path.
Did you have to create an index for the Optiv Threat Intel list?
index=optiv is created by the file default/indexes.conf
the index name can be adjusted there. if you do so make sure and change the optiv_index definition in macros.conf as well.
Index Optiv is there and my setup is the default /opt/splunk. I see the log files in /opt/splunk/var/log/splunk/optiv_*.log, howevere the input is not pulling the files into Splunk index optiv. I am running on a redhat server.
Here is my input.conf
[monitor:///opt/splunk/var/log/splunk/optiv_*.log] ignoreOlderThan=3d crcSalt= index=optiv sourcetype=optiv_threat_list disabled=0
Any help would be apreciated, Thanks
I am showing a different inputs.conf in my 2.80 directory. This is what I have:
[monitor://$SPLUNK_HOME\var\log\splunk\optiv_*.log] ignoreOlderThan=3d crcSalt=<SOURCE> index=optiv sourcetype=optiv_threat_list disabled=0 [script://./bin/starter_script.sh] #[script://$SPLUNK_HOME/etc/apps/optiv_threat_intel/bin/starter_script.sh] #8 hours interval=28800 #interval=300 index=optiv disabled=0
In your stanza listed above we're missing a key/value pair for crcSalt. Should we try blowing away the app and a clean reinstall with the latest version?
Also, what does the Troubleshooting section of the app show?