Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Contenctl fail to build security_content-5.1.0 (the release version)

User3
Explorer
‎03-04-2025 09:13 AM

Hy,

By reading the documentation, it seems like the Splunk ESCU app is build with contentctl from its git content GitHub - splunk/security_content: Splunk Security Content.

I tried with several release, the latest included: Release v5.1.0 · splunk/security_content · GitHub.

The build constantly fail. 
A whole bunch of:
"
Error: 1 validation error for Detection
Value error, Found 1 issues when resolving references Security Content Object names:
- Failed to find the following 'DataSource'
"
Did I miss something?
I tried finding a switch to ignore the errors and build the app anyway without success.
The dist directory remain empty.

I used a clean Ubuntu 24.04.2 LTS and used :
apt update
apt full-upgrade
reboot now
apt update
apt install pipx
pipx ensurepath
reboot now
pipx install contentctl
wget https://github.com/splunk/security_content/archive/refs/tags/v5.1.0.tar.gz
tar -xzf v5.1.0.tar.gz
cd security_content-5.1.0/
contentctl build

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

User3
Explorer
‎03-04-2025 01:13 PM

Found out why: Release v5.1.0 · splunk/contentctl · GitHub
The latest release give an Error instead of a warning for bad DataSource.
Since it juste release, the latest version of Splunk ESCU was simply build with an older version and had a pile of non blocking Warning.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

User3
Explorer
‎03-04-2025 01:13 PM

Found out why: Release v5.1.0 · splunk/contentctl · GitHub
The latest release give an Error instead of a warning for bad DataSource.
Since it juste release, the latest version of Splunk ESCU was simply build with an older version and had a pile of non blocking Warning.

0 Karma
Reply
Solved! Jump to solution

User3
Explorer
‎03-04-2025 09:55 AM

Thanks, but those links don't help that much.
I also tried to replicated the CI/CD workflow (security_content/.github/workflows/build.yml at develop · splunk/security_content · GitHub) locally by doing:
pip install contentctl
git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team
git clone --depth=1 --single-branch --branch=master https://github.com/mitre/cti external_repos/cti
contentctl build --enrichments

Without any success.

0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
SplunkTrust
SplunkTrust
‎03-04-2025 09:21 AM

@User3 

Refer to the Splunk Security Content documentation for troubleshooting common errors. This can provide insights into resolving specific validation errors

Troubleshooting common errors - Splunk Documentation

[BUG] - Build Failing Everytime · Issue #2894 · splunk/security_content 

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...