Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk for Enterprise Security 3.2: Why is lookup threatlist_names.csv not populated correctly?

gstefan
Engager
‎11-25-2014 07:17 AM

Hi,

My installation is downloading threat lists correctly, but lookup threatlist_names.csv is not populated correctly. Search "| rest /services/data/inputs/threatlist" produces no results even though when I go to splunk:8089:/services/data/inputs/threatlist it looks correct.
It seems that my installation is not working at all.

Regards

Reply
1 Solution
Solved! Jump to solution
Solution

jakewalter
Explorer
‎02-11-2015 10:26 AM

I was able to solve this by adding splunk_server=local to the Threalists - Threatlist Inventory - Lookup Gen scheduled search in SA-ThreatIntelligence, so the full search would look like this:

| rest /services/data/inputs/threatlist splunk_server=local | where target="threatlist" AND disabled=0 | rename title as name | table name weight | outputlookup threatlist_names

View solution in original post

Reply
Solved! Jump to solution
Solution

jakewalter
Explorer
‎02-11-2015 10:26 AM

I was able to solve this by adding splunk_server=local to the Threalists - Threatlist Inventory - Lookup Gen scheduled search in SA-ThreatIntelligence, so the full search would look like this:

| rest /services/data/inputs/threatlist splunk_server=local | where target="threatlist" AND disabled=0 | rename title as name | table name weight | outputlookup threatlist_names
Reply
Solved! Jump to solution

chris
Motivator
‎02-17-2015 01:39 AM

I had the same issue. I also had to manually edit the Threat List Audit View (/app/SplunkEnterpriseSecuritySuite/threat_list_audit) and add a splunk_server=local to the searches that use the rest command.

0 Karma
Reply
Solved! Jump to solution

hexx
Splunk Employee
Splunk Employee
‎04-11-2015 09:23 AM

Just curious but did these issues happen after setting up the Distributed Management Console in distributed mode on your ES search-head?

0 Karma
Reply
Solved! Jump to solution

niemesrw
Path Finder
‎02-26-2016 07:46 PM

I had a similar issue - my notable_owners weren't being built b/c the | rest command returns something different than browsing to the SH via normal restful interface. I reset the DMC and all is well again. Thanks!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...