Solved: Splunk Enterprise Security: Why does the Risk Anal...

asimagu · ‎03-17-2017

This particular data model (Risk Analysis) that comes with Splunk Enterprise Security is failing to build due to a calculated field that generates from the correlationsearches_lookup.

I believe that the problem lies in the replication bundle not being able to copy/sync from the Search Heads to the Indexers.

So, when I try to use that lookup from the SH, it gives me the following error from each Indexer:

Streamed search execute failed because: Error in 'lookup' command

any ideas about how I could fix the problem with the bundle being transferred from Search Head to Indexers?

jwelch_splunk · ‎03-17-2017

You can't blacklist that file from your bundle on the search head.

To validate the issue:

run
|rest /services/datamodel/acceleration |search title=Risk |fields title search

In the search field copy and paste that entire search to your search bar and run it. You should see your Error.

Then modify the:
" lookup correlationsearches_lookup"
to
"lookup local=true correlationsearches_lookup"

This should now find data.

If this test works as I described it you need to review your distsearch.conf and find where you are blacklisting this this file and fix it.

Okie

View solution in original post

hazekamp · ‎08-07-2017

We are tracking several known causes for lookups not being replicated from SH->Indexer.

If app is disabled. See app.conf
If lookup is a kvstore collection and replicate is set to false. See collections.conf
If lookup has been blacklisted from replication (applies to both csv and kvstore collections). See distsearch.conf.
If distributed search is disabled (often seen in environments that upgraded to index clustering). See distsearch.conf.

David

jwelch_splunk · ‎03-17-2017

You can't blacklist that file from your bundle on the search head.

To validate the issue:

run
|rest /services/datamodel/acceleration |search title=Risk |fields title search

In the search field copy and paste that entire search to your search bar and run it. You should see your Error.

Then modify the:
" lookup correlationsearches_lookup"
to
"lookup local=true correlationsearches_lookup"

This should now find data.

If this test works as I described it you need to review your distsearch.conf and find where you are blacklisting this this file and fix it.

Okie

asimagu · ‎03-20-2017

are these lines the ones that I should delete/comment from my config file??

## Prevent correlation search list from being replicated via distsearch
## per SOLNESS-6255 these are no longer in use but will continue to be excluded
nocorrelationsearches     = apps[/\\]SA-ThreatIntelligence[/\\]lookups[/\\]correlationsearches.csv

jwelch_splunk · ‎03-20-2017

What version of ES are you running?

asimagu · ‎03-20-2017

4.5.1
is it possible that when someone upgraded the app, forgot to do any manual steps??

jwelch_splunk · ‎03-20-2017

Odd thing is this appears to have been moved to kvstore. Open a support case if you can and provide me the number. I want to make sure we take care of this the right way, I feel like we might be missing something.

Correlation Searches

[correlationsearches_lookup]
external_type = kvstore
collection = correlationsearches
fields_list = _key,security_domain,severity,rule_name,description,rule_title,rule_description,drilldown_name,drilldown_search,drilldown_earliest_offset,drilldown_latest_offset,default_status,default_owner,next_steps,recommended_actions
max_matches = 1

asimagu · ‎03-28-2017

I finally opened the Support Case: CASE [465439]

asimagu · ‎03-20-2017

I will try that once they give me access to open support cases. (I'm new here)

Splunk Enterprise Security: Why does the Risk Analysis data model fail to build?

Correlation Searches

Index This | How many sides does a circle have?

New This Month - Splunk Observability updates and improvements for faster ...

What's New in Splunk Cloud Platform 9.3.2411?