Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Optiv Threat Intel: After initial configuration, getting "Error while posting to url=/servicesNS/nobody/optiv_threat_intel/saved/searches/...."

marcuspauli
New Member
‎08-05-2016 12:19 PM

Hello world,

The initial config comes back with the message:

Encountered the following error while trying to update: In handler 'localapps': Error while posting to url=/servicesNS/nobody/optiv_threat_intel/saved/searches/Optiv%20Threat%20List%20Hit%20on%20Destination%20IP%20Email%20Alert%20-%20Index%201

Any clue what I did wrong here?

Thx a lot
Marcus

0 Karma
Reply

joni73
Explorer
‎12-05-2016 11:43 AM

FYI this error is still there (for me at least) in v. 3.20
alt text

Preview file
87 KB
0 Karma
Reply

derekarnold
Communicator
‎08-06-2016 03:52 PM

Dev here- are you editing the saved search as admin? If this issue persists please try restarting Splunk. Otherwise you can edit the search in optiv_threat_intel/default, then copy the stanza you want and paste it into local and make your changes there.
Good luck.

0 Karma
Reply

Makinde
New Member
‎08-09-2016 11:29 AM

Hi Derek,

I am having the same issue, I have tried restarting Splunk and making changes in the stanza. It still takes me back to the setup page and same error every time.

I have even tried installing it on a different search head. Any ideas?

0 Karma
Reply

Makinde
New Member
‎08-10-2016 08:06 AM

Hi Derek,

Can you let me know what config file would be updated during the initial configuration so I can update them manually. I know the macro.conf file would be updated with the three indexes but I am not sure what file gets updated with the alert configuration in the initial configuration.

Maybe I can manually update this file and get past the configuration page to actually be able to see what the app looks like.

Thanks,

0 Karma
Reply

derekarnold
Communicator
‎08-10-2016 12:09 PM

Update macros.con with your index names in local:
Example:

[network_index_one]
disabled = 0
definition = index=pan_logs

Create app.conf in local:
Example

[default]

[install]
is_configured = 1

Create savedsearches.conf in local:

[Optiv Threat List Hit on Destination IP Email Alert - Index 1]
disabled = 0
action.email.to = [email protected]
cron_schedule = 35 2,14 * * *
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...