Getting Data In

Optiv Threat Intel: After initial configuration, getting "Error while posting to url=/servicesNS/nobody/optiv_threat_intel/saved/searches/...."

marcuspauli
New Member

Hello world,

The initial config comes back with the message:

Encountered the following error while trying to update: In handler 'localapps': Error while posting to url=/servicesNS/nobody/optiv_threat_intel/saved/searches/Optiv%20Threat%20List%20Hit%20on%20Destination%20IP%20Email%20Alert%20-%20Index%201

Any clue what I did wrong here?

Thx a lot
Marcus

0 Karma

joni73
Explorer

FYI this error is still there (for me at least) in v. 3.20
alt text

0 Karma

derekarnold
Communicator

Dev here- are you editing the saved search as admin? If this issue persists please try restarting Splunk. Otherwise you can edit the search in optiv_threat_intel/default, then copy the stanza you want and paste it into local and make your changes there.
Good luck.

0 Karma

Makinde
New Member

Hi Derek,

I am having the same issue, I have tried restarting Splunk and making changes in the stanza. It still takes me back to the setup page and same error every time.

I have even tried installing it on a different search head. Any ideas?

0 Karma

Makinde
New Member

Hi Derek,

Can you let me know what config file would be updated during the initial configuration so I can update them manually. I know the macro.conf file would be updated with the three indexes but I am not sure what file gets updated with the alert configuration in the initial configuration.

Maybe I can manually update this file and get past the configuration page to actually be able to see what the app looks like.

Thanks,

0 Karma

derekarnold
Communicator

Update macros.con with your index names in local:
Example:

[network_index_one]
disabled = 0
definition = index=pan_logs

Create app.conf in local:
Example

[default]

[install]
is_configured = 1

Create savedsearches.conf in local:

[Optiv Threat List Hit on Destination IP Email Alert - Index 1]
disabled = 0
action.email.to = my_new_security_team@example.com
cron_schedule = 35 2,14 * * *
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...