Splunk Enterprise Security

Splunk Enterprise Security: Why does the Risk Analysis data model fail to build?

asimagu
Builder

This particular data model (Risk Analysis) that comes with Splunk Enterprise Security is failing to build due to a calculated field that generates from the correlationsearches_lookup.

I believe that the problem lies in the replication bundle not being able to copy/sync from the Search Heads to the Indexers.

So, when I try to use that lookup from the SH, it gives me the following error from each Indexer:

Streamed search execute failed because: Error in 'lookup' command

any ideas about how I could fix the problem with the bundle being transferred from Search Head to Indexers?

0 Karma
1 Solution

jwelch_splunk
Splunk Employee
Splunk Employee

You can't blacklist that file from your bundle on the search head.

To validate the issue:

run
|rest /services/datamodel/acceleration |search title=Risk |fields title search

In the search field copy and paste that entire search to your search bar and run it. You should see your Error.

Then modify the:
" lookup correlationsearches_lookup"
to
"lookup local=true correlationsearches_lookup"

This should now find data.

If this test works as I described it you need to review your distsearch.conf and find where you are blacklisting this this file and fix it.

Okie

View solution in original post

0 Karma

hazekamp
Builder

We are tracking several known causes for lookups not being replicated from SH->Indexer.

  1. If app is disabled. See app.conf
  2. If lookup is a kvstore collection and replicate is set to false. See collections.conf
  3. If lookup has been blacklisted from replication (applies to both csv and kvstore collections). See distsearch.conf.
  4. If distributed search is disabled (often seen in environments that upgraded to index clustering). See distsearch.conf.

David

jwelch_splunk
Splunk Employee
Splunk Employee

You can't blacklist that file from your bundle on the search head.

To validate the issue:

run
|rest /services/datamodel/acceleration |search title=Risk |fields title search

In the search field copy and paste that entire search to your search bar and run it. You should see your Error.

Then modify the:
" lookup correlationsearches_lookup"
to
"lookup local=true correlationsearches_lookup"

This should now find data.

If this test works as I described it you need to review your distsearch.conf and find where you are blacklisting this this file and fix it.

Okie

0 Karma

asimagu
Builder

are these lines the ones that I should delete/comment from my config file??

## Prevent correlation search list from being replicated via distsearch
## per SOLNESS-6255 these are no longer in use but will continue to be excluded
nocorrelationsearches     = apps[/\\]SA-ThreatIntelligence[/\\]lookups[/\\]correlationsearches.csv
0 Karma

jwelch_splunk
Splunk Employee
Splunk Employee

What version of ES are you running?

0 Karma

asimagu
Builder

4.5.1
is it possible that when someone upgraded the app, forgot to do any manual steps??

0 Karma

jwelch_splunk
Splunk Employee
Splunk Employee

Odd thing is this appears to have been moved to kvstore. Open a support case if you can and provide me the number. I want to make sure we take care of this the right way, I feel like we might be missing something.

Correlation Searches

[correlationsearches_lookup]
external_type = kvstore
collection = correlationsearches
fields_list = _key,security_domain,severity,rule_name,description,rule_title,rule_description,drilldown_name,drilldown_search,drilldown_earliest_offset,drilldown_latest_offset,default_status,default_owner,next_steps,recommended_actions
max_matches = 1

0 Karma

asimagu
Builder

I finally opened the Support Case: CASE [465439]

0 Karma

asimagu
Builder

I will try that once they give me access to open support cases. (I'm new here)

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...