Are you a member of the Splunk Community?
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Splunk Stream: How can I integrate Splunk Stream w...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Stream: How can I integrate Splunk Stream with Enterprise Security and get the Adaptive Response action to run one-off Streams to function?
Hey all,
Looking for any better documentation/steps on integrating Splunk Stream app with Enterprise Security.
Running Stream v. 7.1.1
Running Enterprise Security v. 4.7
OS/Environment: All Windows based
End goal is to get the Adaptive Response action to run one-off Streams to function.
I've seen the 2 step documentation on getting Stream installed (we have the Stream TA on a number of forwarders for testing, they receive configuration changes from the "splunk_app_stream" on our Non-ES Search Head just fine).
I've tested adding the Configuration Template (http://docs.splunk.com/Documentation/StreamApp/7.1.1/DeployStreamApp/UseStreamconfigurationtemplates) to one of the forwarders that has the Stream TA.
For ES, I have a test Notable Event that I attempt to run the "Stream Capture" Adaptive Response action, filling out the "Fields" to search for as typical "src,src_ip,etc." fields, but the action either shows Failed or, if it shows Success at all, it does not pick up anything related to the source IP or destination IP of the Notable Event.
Just curious if there's anything missing or some better documentation on where the primary Splunk Stream app should reside (if it needs to be on the same search head as ES), if the Stream template needs to exist on the Stream TA that is on the search heads and not just the forwarders actually obtaining wire data, etc.
Any help would be fantastic! If more details are needed, let me know, and I'd be happy to supply.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe your problem is that in order for the ES SH to be able to trigger the stream capture, it has to be the SH running the stream app that the forwarders are communicating with. At least, that is the impression I get from http://docs.splunk.com/Documentation/ES/4.7.4/Install/IntegrateSplunkStream
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the idea. I gave it a try, pointed the Universal Forwarder to the ES Search Head, turned off all the streams in the Stream app config to test being able to turn it on demand, and now I am seeing successes in the Adaptive Response section of the Notable Events, but I'm not seeing any actual data come in.
Essentially, I'm not seeing anything when the "orig_action_name=makestreams". Nothing is getting stream-ified.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
An error I occasionally get when going to run Adaptive Response action - >Stream Capture - is the following:
"ERROR sendmodaction - signature="Splunkd daemon is not responding: ("Error connecting to /services/splunk_app_stream/streams/: ('The read operation timed out',)",)" action_name="makestreams"
OR
"ERROR sendmodaction - signature="No stream capture target" action_name="makestreams"
The first error I'm not sure what to do with, but the second error, I'm adding a number of fields to the "Fields" textbox to search for. I'm guessing the connection here to the forwarder is what needs to take place, but I'm not sure how to make contact.
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
Data Persistence in the OpenTelemetry Collector
Thanks for the Memories! Splunk University, .conf25, and our Community
