Monitoring Splunk

Optiv Threat Intel: How to troubleshoot why there is no data populating in the app in a search head cluster?

jroark
New Member

I installed the Optiv Threat Intel app on a search head cluster, but data is not populating. Additionally, I added the optiv index to the peer indexers as well. However, I'm still not getting threat data. Index has only 1 event from running the troubleshoot link in the app and it has been several hours. Anyone else have issues with this app on a cluster? Did I miss something?

0 Karma
1 Solution

derekarnold
Communicator

jroark, would it be possible to post the latest script log file?
It would look something like this:

/opt/splunk/var/log/splunk/optiv_threat_lists_script11-09-2015-10-14-37.log

What does the 1 event showing up on the Troubleshooting page say?

What platform is this? Linux/Windows?,jroark, Would it be possible to post the most recent script log file?
It would look something like: /opt/splunk/var/log/splunk/optiv_threat_lists_script11-09-2015-10-14-37.log

What is the 1 event on the troubleshoot screen?

What platform is this? Linux/Windows?

View solution in original post

derekarnold
Communicator

jroark, would it be possible to post the latest script log file?
It would look something like this:

/opt/splunk/var/log/splunk/optiv_threat_lists_script11-09-2015-10-14-37.log

What does the 1 event showing up on the Troubleshooting page say?

What platform is this? Linux/Windows?,jroark, Would it be possible to post the most recent script log file?
It would look something like: /opt/splunk/var/log/splunk/optiv_threat_lists_script11-09-2015-10-14-37.log

What is the 1 event on the troubleshoot screen?

What platform is this? Linux/Windows?

john_glasscock
Path Finder

Did you have to create an index for the Optiv Threat Intel list?

0 Karma

derekarnold
Communicator

John,
I am showing a different inputs.conf in my 2.80 directory. This is what I have:

[monitor://$SPLUNK_HOME\var\log\splunk\optiv_*.log]
ignoreOlderThan=3d
crcSalt=<SOURCE>
index=optiv
sourcetype=optiv_threat_list
disabled=0

[script://./bin/starter_script.sh]
#[script://$SPLUNK_HOME/etc/apps/optiv_threat_intel/bin/starter_script.sh]
#8 hours
interval=28800
#interval=300
index=optiv
disabled=0

In your stanza listed above we're missing a key/value pair for crcSalt. Should we try blowing away the app and a clean reinstall with the latest version?

Also, what does the Troubleshooting section of the app show?

0 Karma

derekarnold
Communicator

index=optiv is created by the file default/indexes.conf
the index name can be adjusted there. if you do so make sure and change the optiv_index definition in macros.conf as well.

0 Karma

john_glasscock
Path Finder

Index Optiv is there and my setup is the default /opt/splunk. I see the log files in /opt/splunk/var/log/splunk/optiv_*.log, howevere the input is not pulling the files into Splunk index optiv. I am running on a redhat server.
Here is my input.conf

[monitor:///opt/splunk/var/log/splunk/optiv_*.log]
ignoreOlderThan=3d
crcSalt=
index=optiv
sourcetype=optiv_threat_list
disabled=0

Any help would be apreciated, Thanks

0 Karma

jroark
New Member

After posting I looked at the troubleshooting log again and realized my install of splunk isn't on the standard /opt/splunk. Adding a symlink fixed the issue and threats started to populate. Error was on my end.

0 Karma

ppicciotti
New Member

Can you please provide the command or commands you used to resolve this issue. My Splunk installation is also not in the standard /opt/splunk. Thank you.

0 Karma

derekarnold
Communicator

I can't answer how to set up a symlink, but I did to a find in files in my app and if you find and replace these lines with the path of your Splunk installation you should be set:

grep -rnw '.' -e "/opt/splunk"
./bin/getalerts.py:38: splunk_home = '/opt/splunk'
./bin/starter_script.sh:5:THREAT_SCRIPT_PATH="/opt/splunk/etc/apps/optiv_threat_intel/bin/optiv_threat_lists.py"
./bin/starter_script.sh:6:RSS_SCRIPT_PATH="/opt/splunk/etc/apps/optiv_threat_intel/bin/getalerts.py"
./bin/starter_script.sh:7:#LOG_FOLDER="/opt/splunk/etc/apps/optiv_threat_intel/bin/"
./bin/starter_script.sh:8:LOG_FOLDER="/opt/splunk/var/log/splunk/"
./bin/starter_script.sh:9:PYTHON="/opt/splunk/bin/splunk cmd python"
./bin/optiv_threat_lists.py:64: splunk_home = '/opt/splunk'

wherever it says /opt/splunk, sub in your path.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...