Hi,
My installation is downloading threat lists correctly, but lookup threatlist_names.csv is not populated correctly. Search "| rest /services/data/inputs/threatlist" produces no results even though when I go to splunk:8089:/services/data/inputs/threatlist it looks correct.
It seems that my installation is not working at all.
Regards
I was able to solve this by adding splunk_server=local to the Threalists - Threatlist Inventory - Lookup Gen scheduled search in SA-ThreatIntelligence, so the full search would look like this:
| rest /services/data/inputs/threatlist splunk_server=local | where target="threatlist" AND disabled=0 | rename title as name | table name weight | outputlookup threatlist_names
I was able to solve this by adding splunk_server=local to the Threalists - Threatlist Inventory - Lookup Gen scheduled search in SA-ThreatIntelligence, so the full search would look like this:
| rest /services/data/inputs/threatlist splunk_server=local | where target="threatlist" AND disabled=0 | rename title as name | table name weight | outputlookup threatlist_names
I had the same issue. I also had to manually edit the Threat List Audit View (/app/SplunkEnterpriseSecuritySuite/threat_list_audit) and add a splunk_server=local to the searches that use the rest command.
Just curious but did these issues happen after setting up the Distributed Management Console in distributed mode on your ES search-head?
I had a similar issue - my notable_owners weren't being built b/c the | rest command returns something different than browsing to the SH via normal restful interface. I reset the DMC and all is well again. Thanks!!!