Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security: How to troubleshoot why a Threat Intelligence download is failing for a single download source?

brwilson
Explorer
‎04-13-2016 08:37 AM

We are having an issue where a single threat intelligence download is failing (SANS blocklist) regularly. I can wget the file just fine from the search head where Splunk Enterprise Security is installed, so I'm not sure it's a network problem with reaching the site. Is there any place I can get a more specific error message as to why this is failing? 

msg="A threat intelligence download has failed" stanza="sans" status="threat list download failed after multiple retries"
Reply

gjanders
SplunkTrust
SplunkTrust
‎06-02-2017 04:42 PM

I logged a case on 4.7.0, I believe the issue will get fixed in 4.7.2
As a workaround, you can edit :
/opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/bin/configuration_checks/confcheck_failed_threat_download.py as below

Change:

    job = splunk.search.dispatch(search_string, sessionKey=session_key, earliest=earliest)

To:

    job = splunk.search.dispatch(search_string, sessionKey=session_key, earliest_time=earliest)

The difference on that last line is the earliest_time= setting....once I did that the warnings went away.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply

salbro
Path Finder
‎06-02-2017 02:00 PM

Was there ever a resolution to this? I have this problem after upgrading to ES 4.7.1

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...