Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Contenctl fail to build security_content-5.1.0 (the release version)

User3
Explorer
‎03-04-2025 09:13 AM

Hy,

By reading the documentation, it seems like the Splunk ESCU app is build with contentctl from its git content GitHub - splunk/security_content: Splunk Security Content.

I tried with several release, the latest included: Release v5.1.0 · splunk/security_content · GitHub.

The build constantly fail. 
A whole bunch of:
"
Error: 1 validation error for Detection
Value error, Found 1 issues when resolving references Security Content Object names:
- Failed to find the following 'DataSource'
"
Did I miss something?
I tried finding a switch to ignore the errors and build the app anyway without success.
The dist directory remain empty.

I used a clean Ubuntu 24.04.2 LTS and used :
apt update
apt full-upgrade
reboot now
apt update
apt install pipx
pipx ensurepath
reboot now
pipx install contentctl
wget https://github.com/splunk/security_content/archive/refs/tags/v5.1.0.tar.gz
tar -xzf v5.1.0.tar.gz
cd security_content-5.1.0/
contentctl build

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

User3
Explorer
‎03-04-2025 01:13 PM

Found out why: Release v5.1.0 · splunk/contentctl · GitHub
The latest release give an Error instead of a warning for bad DataSource.
Since it juste release, the latest version of Splunk ESCU was simply build with an older version and had a pile of non blocking Warning.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

User3
Explorer
‎03-04-2025 01:13 PM

Found out why: Release v5.1.0 · splunk/contentctl · GitHub
The latest release give an Error instead of a warning for bad DataSource.
Since it juste release, the latest version of Splunk ESCU was simply build with an older version and had a pile of non blocking Warning.

0 Karma
Reply
Solved! Jump to solution

User3
Explorer
‎03-04-2025 09:55 AM

Thanks, but those links don't help that much.
I also tried to replicated the CI/CD workflow (security_content/.github/workflows/build.yml at develop · splunk/security_content · GitHub) locally by doing:
pip install contentctl
git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team
git clone --depth=1 --single-branch --branch=master https://github.com/mitre/cti external_repos/cti
contentctl build --enrichments

Without any success.

0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎03-04-2025 09:21 AM

@User3 

Refer to the Splunk Security Content documentation for troubleshooting common errors. This can provide insights into resolving specific validation errors

Troubleshooting common errors - Splunk Documentation

[BUG] - Build Failing Everytime · Issue #2894 · splunk/security_content 

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...