Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Optiv Threat Intel: After initial configuration, getting "Error while posting to url=/servicesNS/nobody/optiv_threat_intel/saved/searches/...."

marcuspauli
New Member
‎08-05-2016 12:19 PM

Hello world,

The initial config comes back with the message:

Encountered the following error while trying to update: In handler 'localapps': Error while posting to url=/servicesNS/nobody/optiv_threat_intel/saved/searches/Optiv%20Threat%20List%20Hit%20on%20Destination%20IP%20Email%20Alert%20-%20Index%201

Any clue what I did wrong here?

Thx a lot
Marcus

0 Karma
Reply

joni73
Explorer
‎12-05-2016 11:43 AM

FYI this error is still there (for me at least) in v. 3.20
alt text

Preview file
87 KB
0 Karma
Reply

derekarnold
Communicator
‎08-06-2016 03:52 PM

Dev here- are you editing the saved search as admin? If this issue persists please try restarting Splunk. Otherwise you can edit the search in optiv_threat_intel/default, then copy the stanza you want and paste it into local and make your changes there.
Good luck.

0 Karma
Reply

Makinde
New Member
‎08-09-2016 11:29 AM

Hi Derek,

I am having the same issue, I have tried restarting Splunk and making changes in the stanza. It still takes me back to the setup page and same error every time.

I have even tried installing it on a different search head. Any ideas?

0 Karma
Reply

Makinde
New Member
‎08-10-2016 08:06 AM

Hi Derek,

Can you let me know what config file would be updated during the initial configuration so I can update them manually. I know the macro.conf file would be updated with the three indexes but I am not sure what file gets updated with the alert configuration in the initial configuration.

Maybe I can manually update this file and get past the configuration page to actually be able to see what the app looks like.

Thanks,

0 Karma
Reply

derekarnold
Communicator
‎08-10-2016 12:09 PM

Update macros.con with your index names in local:
Example:

[network_index_one]
disabled = 0
definition = index=pan_logs

Create app.conf in local:
Example

[default]

[install]
is_configured = 1

Create savedsearches.conf in local:

[Optiv Threat List Hit on Destination IP Email Alert - Index 1]
disabled = 0
action.email.to = my_new_security_team@example.com
cron_schedule = 35 2,14 * * *
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...