Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security: Why am I getting this error message "msg="A threat intelligence download has failed" stanza="alexa_top_one_million_sites""?

emmanuelpeter
New Member
‎03-09-2017 06:41 AM

Splunk Enterprise Security: why am I getting this error message?

msg="A threat intelligence download has failed" stanza="alexa_top_one_million_sites" status="threat list download failed after multiple retries"
0 Karma
Reply

jwelch_splunk
Splunk Employee
Splunk Employee
‎03-10-2017 08:40 AM

We ended up working this issue from a support perspective, and this was related to specific configs within the customers ENV. If customer wishes to share our findings he can note that here.

Having said that under normal circumstances, using wget to validate connectivity from SH to source is a good first start to understand why the download is failing.

0 Karma
Reply

jwelch_splunk
Splunk Employee
Splunk Employee
‎03-09-2017 09:07 PM

You could also be hitting a bug.
What version of ES are you running?

0 Karma
Reply

emmanuelpeter
New Member
‎03-10-2017 02:48 AM

I'm currently running Splunk Version 6.4.1.2
what sort of bug could that be?

0 Karma
Reply

jwelch_splunk
Splunk Employee
Splunk Employee
‎03-10-2017 03:50 AM

What version of ES are you running

0 Karma
Reply

emmanuelpeter
New Member
‎03-10-2017 04:21 AM

currently is 4.2.0

0 Karma
Reply

jwelch_splunk
Splunk Employee
Splunk Employee
‎03-10-2017 05:46 AM

Hmm, this indicates you are a cloud customer. If that is the case email me your info jwelch @ splunk dot com.

I will take a look for you.

Otherwise, if I am missing something here, we log the success or failure of a download in the threatlist.log in /opt/splunk/var/log/splunk

index=_internal source =*threatlist.log alexa

This could be related to a previous failure and now it is successful, and you are hitting the bug I was talking about, which I did not think affected 4.2.0

Or it really is failing and I need to see why from the backend.

If you are not a cloud customer you could try this from your SH

wget https://s3.amazonaws.com/alexa-static/top-1m.csv.zip? to determine if you have success.

Let me know here or via email how I can help

0 Karma
Reply

emmanuelpeter
New Member
‎03-10-2017 07:03 AM

I've dropped you an email. please do let me know if you receive it.

0 Karma
Reply

mparks11
Path Finder
‎03-09-2017 09:28 AM

Can you access the URL: https://s3.amazonaws.com/alexa-static/top-1m.csv.zip? This is where the Alexa Top Million is hosted. Personally, I can, so I know they haven't shut down the Alext top million (like happened a few months back and presumably will happen again). It's possible that your Splunk ES Search Head can't access that URL itself, blocked by a content filter or web proxy in your network somewhere. If you don't use the Alexa Top Million, you could just disable the input.

Reply

emmanuelpeter
New Member
‎03-10-2017 02:53 AM

I can access the CSV.Zip, but how can I check to see if my search head can access it. Thanks

0 Karma
Reply

mparks11
Path Finder
‎03-10-2017 07:46 AM

Looks like jwelch beat me to the punch! 

wget https://s3.amazonaws.com/alexa-static/top-1m.csv.zip
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...