Splunk Enterprise Security

Splunk Enterprise Security: Why does the Risk Analysis data model fail to build?

asimagu
Builder

This particular data model (Risk Analysis) that comes with Splunk Enterprise Security is failing to build due to a calculated field that generates from the correlationsearches_lookup.

I believe that the problem lies in the replication bundle not being able to copy/sync from the Search Heads to the Indexers.

So, when I try to use that lookup from the SH, it gives me the following error from each Indexer:

Streamed search execute failed because: Error in 'lookup' command

any ideas about how I could fix the problem with the bundle being transferred from Search Head to Indexers?

0 Karma
1 Solution

jwelch_splunk
Splunk Employee
Splunk Employee

You can't blacklist that file from your bundle on the search head.

To validate the issue:

run
|rest /services/datamodel/acceleration |search title=Risk |fields title search

In the search field copy and paste that entire search to your search bar and run it. You should see your Error.

Then modify the:
" lookup correlationsearches_lookup"
to
"lookup local=true correlationsearches_lookup"

This should now find data.

If this test works as I described it you need to review your distsearch.conf and find where you are blacklisting this this file and fix it.

Okie

View solution in original post

0 Karma

hazekamp
Builder

We are tracking several known causes for lookups not being replicated from SH->Indexer.

  1. If app is disabled. See app.conf
  2. If lookup is a kvstore collection and replicate is set to false. See collections.conf
  3. If lookup has been blacklisted from replication (applies to both csv and kvstore collections). See distsearch.conf.
  4. If distributed search is disabled (often seen in environments that upgraded to index clustering). See distsearch.conf.

David

jwelch_splunk
Splunk Employee
Splunk Employee

You can't blacklist that file from your bundle on the search head.

To validate the issue:

run
|rest /services/datamodel/acceleration |search title=Risk |fields title search

In the search field copy and paste that entire search to your search bar and run it. You should see your Error.

Then modify the:
" lookup correlationsearches_lookup"
to
"lookup local=true correlationsearches_lookup"

This should now find data.

If this test works as I described it you need to review your distsearch.conf and find where you are blacklisting this this file and fix it.

Okie

0 Karma

asimagu
Builder

are these lines the ones that I should delete/comment from my config file??

## Prevent correlation search list from being replicated via distsearch
## per SOLNESS-6255 these are no longer in use but will continue to be excluded
nocorrelationsearches     = apps[/\\]SA-ThreatIntelligence[/\\]lookups[/\\]correlationsearches.csv
0 Karma

jwelch_splunk
Splunk Employee
Splunk Employee

What version of ES are you running?

0 Karma

asimagu
Builder

4.5.1
is it possible that when someone upgraded the app, forgot to do any manual steps??

0 Karma

jwelch_splunk
Splunk Employee
Splunk Employee

Odd thing is this appears to have been moved to kvstore. Open a support case if you can and provide me the number. I want to make sure we take care of this the right way, I feel like we might be missing something.

Correlation Searches

[correlationsearches_lookup]
external_type = kvstore
collection = correlationsearches
fields_list = _key,security_domain,severity,rule_name,description,rule_title,rule_description,drilldown_name,drilldown_search,drilldown_earliest_offset,drilldown_latest_offset,default_status,default_owner,next_steps,recommended_actions
max_matches = 1

0 Karma

asimagu
Builder

I finally opened the Support Case: CASE [465439]

0 Karma

asimagu
Builder

I will try that once they give me access to open support cases. (I'm new here)

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...