Splunk Enterprise Security

Splunk for Enterprise Security 3.2: Why is lookup threatlist_names.csv not populated correctly?

Engager

Hi,

My installation is downloading threat lists correctly, but lookup threatlist_names.csv is not populated correctly. Search "| rest /services/data/inputs/threatlist" produces no results even though when I go to splunk:8089:/services/data/inputs/threatlist it looks correct.
It seems that my installation is not working at all.

Regards

1 Solution

Explorer

I was able to solve this by adding splunk_server=local to the Threalists - Threatlist Inventory - Lookup Gen scheduled search in SA-ThreatIntelligence, so the full search would look like this:

| rest /services/data/inputs/threatlist splunk_server=local | where target="threatlist" AND disabled=0 | rename title as name | table name weight | outputlookup threatlist_names

View solution in original post

Explorer

I was able to solve this by adding splunk_server=local to the Threalists - Threatlist Inventory - Lookup Gen scheduled search in SA-ThreatIntelligence, so the full search would look like this:

| rest /services/data/inputs/threatlist splunk_server=local | where target="threatlist" AND disabled=0 | rename title as name | table name weight | outputlookup threatlist_names

View solution in original post

Motivator

I had the same issue. I also had to manually edit the Threat List Audit View (/app/SplunkEnterpriseSecuritySuite/threatlistaudit) and add a splunk_server=local to the searches that use the rest command.

0 Karma

Splunk Employee
Splunk Employee

Just curious but did these issues happen after setting up the Distributed Management Console in distributed mode on your ES search-head?

0 Karma

Path Finder

I had a similar issue - my notable_owners weren't being built b/c the | rest command returns something different than browsing to the SH via normal restful interface. I reset the DMC and all is well again. Thanks!!!

0 Karma