Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Installation
- :
- Re: Getting error messages after Splunk Enterprise...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Getting error messages after Splunk Enterprise Security upgrade from 4.5.2 to 4.7.1.
Hi,
We have upgraded Enterprise Security from 4.5.2. to 4.7.1. After the upgrade we are getting two types of error message in our environment.
Type 1:
msg="A script exited abnormally" input="/opt/splunk/etc/apps/SA-Utils/bin/configuration_check.py" stanza="configuration_check://confcheck_es_app_version" status="exited with code 3"
Type 2:
A threat intelligence download has failed. stanza="iblocklist_spyware" host="xxxxx" status="threat list download failed after multiple retries"
A threat intelligence download has failed. stanza="iblocklist_proxy" host="xxxxx" status="threat list download failed after multiple retries"
A threat intelligence download has failed. stanza="iblocklist_tor" host="xxxxx" status="threat list download failed after multiple retries"
A threat intelligence download has failed. stanza="iblocklist_piratebay" host="xxxxx" status="threat list download failed after multiple retries"
A threat intelligence download has failed. stanza="iblocklist_web_attacker" host="xxxxx" status="threat list download failed after multiple retries"
A threat intelligence download has failed. stanza="iblocklist_rapidshare" host="xxxxx" status="threat list download failed after multiple retries"
A threat intelligence download has failed. stanza="iblocklist_logmein" host="xxxxx" status="threat list download failed after multiple retries"
Could you please suggest on this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We had this same issue after upgrade to 4.7.0 - Splunk Support advised it was a bug in this version and provided the following fix, which worked for us -
Edit splunk/etc/apps/DA-ESS-ThreatIntelligence/bin/configuration_checks/confcheck_failed_threat_download.py as below:
--- confcheck_failed_threat_download.old.py
+++ confcheck_failed_threat_download.py
@@ -33,7 +33,7 @@
messages = []
- job = splunk.search.dispatch(search_string, sessionKey=session_key, earliest=earliest)
+ job = splunk.search.dispatch(search_string, sessionKey=session_key, earliest_time=earliest)
while elapsed < srch_timeout:
if job.isDone:
if job.resultCount > 0 or job.eventCount > 0:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
make sure that the directory still owned by the correct user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes directory owned by correct user.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm seeing 3 of the iblocklist* ones too, along with malware_domains. Our ES is running on Splunk Cloud
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
