Splunk Enterprise Security

Splunk Enterprise Security: Why does the Risk Analysis data model fail to build?

asimagu
Builder

This particular data model (Risk Analysis) that comes with Splunk Enterprise Security is failing to build due to a calculated field that generates from the correlationsearches_lookup.

I believe that the problem lies in the replication bundle not being able to copy/sync from the Search Heads to the Indexers.

So, when I try to use that lookup from the SH, it gives me the following error from each Indexer:

Streamed search execute failed because: Error in 'lookup' command

any ideas about how I could fix the problem with the bundle being transferred from Search Head to Indexers?

0 Karma
1 Solution

jwelch_splunk
Splunk Employee
Splunk Employee

You can't blacklist that file from your bundle on the search head.

To validate the issue:

run
|rest /services/datamodel/acceleration |search title=Risk |fields title search

In the search field copy and paste that entire search to your search bar and run it. You should see your Error.

Then modify the:
" lookup correlationsearches_lookup"
to
"lookup local=true correlationsearches_lookup"

This should now find data.

If this test works as I described it you need to review your distsearch.conf and find where you are blacklisting this this file and fix it.

Okie

View solution in original post

0 Karma

hazekamp
Builder

We are tracking several known causes for lookups not being replicated from SH->Indexer.

  1. If app is disabled. See app.conf
  2. If lookup is a kvstore collection and replicate is set to false. See collections.conf
  3. If lookup has been blacklisted from replication (applies to both csv and kvstore collections). See distsearch.conf.
  4. If distributed search is disabled (often seen in environments that upgraded to index clustering). See distsearch.conf.

David

jwelch_splunk
Splunk Employee
Splunk Employee

You can't blacklist that file from your bundle on the search head.

To validate the issue:

run
|rest /services/datamodel/acceleration |search title=Risk |fields title search

In the search field copy and paste that entire search to your search bar and run it. You should see your Error.

Then modify the:
" lookup correlationsearches_lookup"
to
"lookup local=true correlationsearches_lookup"

This should now find data.

If this test works as I described it you need to review your distsearch.conf and find where you are blacklisting this this file and fix it.

Okie

0 Karma

asimagu
Builder

are these lines the ones that I should delete/comment from my config file??

## Prevent correlation search list from being replicated via distsearch
## per SOLNESS-6255 these are no longer in use but will continue to be excluded
nocorrelationsearches     = apps[/\\]SA-ThreatIntelligence[/\\]lookups[/\\]correlationsearches.csv
0 Karma

jwelch_splunk
Splunk Employee
Splunk Employee

What version of ES are you running?

0 Karma

asimagu
Builder

4.5.1
is it possible that when someone upgraded the app, forgot to do any manual steps??

0 Karma

jwelch_splunk
Splunk Employee
Splunk Employee

Odd thing is this appears to have been moved to kvstore. Open a support case if you can and provide me the number. I want to make sure we take care of this the right way, I feel like we might be missing something.

Correlation Searches

[correlationsearches_lookup]
external_type = kvstore
collection = correlationsearches
fields_list = _key,security_domain,severity,rule_name,description,rule_title,rule_description,drilldown_name,drilldown_search,drilldown_earliest_offset,drilldown_latest_offset,default_status,default_owner,next_steps,recommended_actions
max_matches = 1

0 Karma

asimagu
Builder

I finally opened the Support Case: CASE [465439]

0 Karma

asimagu
Builder

I will try that once they give me access to open support cases. (I'm new here)

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...