Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- Contenctl fail to build security_content-5.1.0 (th...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hy,
By reading the documentation, it seems like the Splunk ESCU app is build with contentctl from its git content GitHub - splunk/security_content: Splunk Security Content.
I tried with several release, the latest included: Release v5.1.0 · splunk/security_content · GitHub.
The build constantly fail.
A whole bunch of:
"
Error: 1 validation error for Detection
Value error, Found 1 issues when resolving references Security Content Object names:
- Failed to find the following 'DataSource'
"
Did I miss something?
I tried finding a switch to ignore the errors and build the app anyway without success.
The dist directory remain empty.
I used a clean Ubuntu 24.04.2 LTS and used :
apt update
apt full-upgrade
reboot now
apt update
apt install pipx
pipx ensurepath
reboot now
pipx install contentctl
wget https://github.com/splunk/security_content/archive/refs/tags/v5.1.0.tar.gz
tar -xzf v5.1.0.tar.gz
cd security_content-5.1.0/
contentctl build
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Found out why: Release v5.1.0 · splunk/contentctl · GitHub
The latest release give an Error instead of a warning for bad DataSource.
Since it juste release, the latest version of Splunk ESCU was simply build with an older version and had a pile of non blocking Warning.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Found out why: Release v5.1.0 · splunk/contentctl · GitHub
The latest release give an Error instead of a warning for bad DataSource.
Since it juste release, the latest version of Splunk ESCU was simply build with an older version and had a pile of non blocking Warning.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, but those links don't help that much.
I also tried to replicated the CI/CD workflow (security_content/.github/workflows/build.yml at develop · splunk/security_content · GitHub) locally by doing:
pip install contentctl
git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team
git clone --depth=1 --single-branch --branch=master https://github.com/mitre/cti external_repos/cti
contentctl build --enrichments
Without any success.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Refer to the Splunk Security Content documentation for troubleshooting common errors. This can provide insights into resolving specific validation errors
Troubleshooting common errors - Splunk Documentation
[BUG] - Build Failing Everytime · Issue #2894 · splunk/security_content
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
