Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question
Solved! Jump to solution

Splunk for Enterprise Security 3.2: Why is lookup threatlist_names.csv not populated correctly?

gstefan
Engager
โ€Ž11-25-2014 07:17 AM

Hi,

My installation is downloading threat lists correctly, but lookup threatlist_names.csv is not populated correctly. Search "| rest /services/data/inputs/threatlist" produces no results even though when I go to splunk:8089:/services/data/inputs/threatlist it looks correct.
It seems that my installation is not working at all.

Regards

Reply
1 Solution
Solved! Jump to solution
Solution

jakewalter
Explorer
โ€Ž02-11-2015 10:26 AM

I was able to solve this by adding splunk_server=local to the Threalists - Threatlist Inventory - Lookup Gen scheduled search in SA-ThreatIntelligence, so the full search would look like this:

| rest /services/data/inputs/threatlist splunk_server=local | where target="threatlist" AND disabled=0 | rename title as name | table name weight | outputlookup threatlist_names

View solution in original post

Reply
Solved! Jump to solution
Solution

jakewalter
Explorer
โ€Ž02-11-2015 10:26 AM

I was able to solve this by adding splunk_server=local to the Threalists - Threatlist Inventory - Lookup Gen scheduled search in SA-ThreatIntelligence, so the full search would look like this:

| rest /services/data/inputs/threatlist splunk_server=local | where target="threatlist" AND disabled=0 | rename title as name | table name weight | outputlookup threatlist_names

View solution in original post

Reply
Solved! Jump to solution

chris
Motivator
โ€Ž02-17-2015 01:39 AM

I had the same issue. I also had to manually edit the Threat List Audit View (/app/SplunkEnterpriseSecuritySuite/threatlistaudit) and add a splunk_server=local to the searches that use the rest command.

0 Karma
Reply
Solved! Jump to solution

hexx
Splunk Employee
Splunk Employee
โ€Ž04-11-2015 09:23 AM

Just curious but did these issues happen after setting up the Distributed Management Console in distributed mode on your ES search-head?

0 Karma
Reply
Solved! Jump to solution

niemesrw
Path Finder
โ€Ž02-26-2016 07:46 PM

I had a similar issue - my notable_owners weren't being built b/c the | rest command returns something different than browsing to the SH via normal restful interface. I reset the DMC and all is well again. Thanks!!!

0 Karma
Reply