We're running a script that's used in the CiscoIPS app to pull event data from our IPS. Initially the interval was set at 1 (should be every 1 second) which was hitting our IPS more than we'd like. We then changed it to 300 (should be every 5 minutes), however after restarting both splunk services, it's still hitting the IPS every second. Any ideas?
With the release of version 1.1.1 of the Cisco IPS app, you can now specify a polling interval in the inputs.conf. Below is an example that causes the script to wait 30 seconds in between polls of the Cisco IPS appliance. You must be running version 1.1.1 or higher to use this additional option at the end of the script. Changing the "interval" underneath the script command will not affect the polling of the IPS.
[script://$SPLUNK_HOME\etc\apps\Splunk_CiscoIPS\bin\get_ips_feed.py "username" "password" "IPS_IP" "30"]
disabled = 0
index = main
interval = 1
source = SDEE
sourcetype = cisco_ips_syslog
With the release of version 1.1.1 of the Cisco IPS app, you can now specify a polling interval in the inputs.conf. Below is an example that causes the script to wait 30 seconds in between polls of the Cisco IPS appliance. You must be running version 1.1.1 or higher to use this additional option at the end of the script. Changing the "interval" underneath the script command will not affect the polling of the IPS.
[script://$SPLUNK_HOME\etc\apps\Splunk_CiscoIPS\bin\get_ips_feed.py "username" "password" "IPS_IP" "30"]
disabled = 0
index = main
interval = 1
source = SDEE
sourcetype = cisco_ips_syslog
Hi @andrew_garvin I am facing same issue where I have 2 data poller script in add on. One is getting triggered by interval but other not. I have tried correcting the order of my local/input.conf still not working expected. Can you please suggest what could be wrong ? Below is my config for the script which is having issue.
[digital_shadows_threat_intelligence://tes_IOC]
global_account = vitthal
interval = 90
ingesting_iocs = 1
since = 2023-06-05T05:42:56Z
threat_intelligence_updates = 0
disabled = 1
Worked like a champ - thanks for the update.
Thanks! I'll be sure to upgrade and give it a shot.
The script used by the Cisco IPS addon is actually running indefinitely once it's been started, so it won't matter what interval you will set for it to run. The timing is performed internally instead. I had a quick look at the script (get_ips_feed.py
) and it seems there is no pause between its requests at all - once it's done with one connection it just keeps hammering away with the next.
You could modify the script to sleep at the end of its while loop, one suggestion would be to add a time.sleep(300)
after ipsLogger.info(syslog_msg)
(line 231).
Did you pay attention to the indentation level when you modified the script? Python interprets different indentation levels differently. The time.sleep
line should be one level "up" (= less indentation) than the ipsLogger.info
line. This should make the script sleep for 300 seconds after each run of its main loop.
You don't need to restart Splunk, scripts are called directly each time they're run rather than being kept in memory.
It didn't affect the script at all. I tried restarting the entire server after implementing it, in case it was still running in memory, but no luck. Any other ideas?
Thanks for the reply. I'll give it a shot and let you know how it goes.