The index is not created on the CM. It is defined in an app which is pushed to indexers and the index is created there.

Hi @tolgaakkapulu 

Are there any other events in ta_otx_otx.log file?

Having checked the python code for the addon, it doesnt look like there is much in terms of logging so I wouldnt expect there to be much. 

Are you able to confirm that the X-OTX-API-KEY you entered is correct? Also, did you specify a backfill days value for the input? If not then I think it will only report pulses sine you setup the Splunk input. 

Note - Changing the backfill *after* creating the input might not take effect because the checkpoint generated by the input uses the input stanza name, therefore you would need to create an input with a new name if you want to try this.

If you still have no joy then please try the following:

curl -X GET "https://otx.alienvault.com/api/v1/pulses/subscribed?modified_since=1743940560" -H "X-OTX-API-KEY: <api_key>" 

Updating the <api_key> with your OTX api key. 

🌟 Did this answer help you? If so, please consider:

• Adding karma to show it was useful
• Marking it as the solution if it resolved your issue
• Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

@livehybrid  Additionally, log samples:

2025-04-08 13:56:19,927 INFO pid=426325 tid=MainThread file=base_modinput.py:log_info:295 | Retrieving subscribed pulses since: 2025-04-08 10:54:39.948582
2025-04-08 13:56:19,927 INFO pid=426325 tid=MainThread file=setup_util.py:log_info:117 | Proxy is not enabled!
2025-04-08 13:56:20,146 INFO pid=426325 tid=MainThread file=base_modinput.py:log_info:295 | Completed polling. Logged 0 pulses and 0 indicators.
2025-04-08 13:58:00,005 INFO pid=426392 tid=MainThread file=setup_util.py:log_info:117 | Log level is not set, use default INFO
2025-04-08 13:58:00,006 INFO pid=426392 tid=MainThread file=splunk_rest_client.py:_request_handler:99 | Use HTTP connection pooling
2025-04-08 13:58:00,038 INFO pid=426392 tid=MainThread file=base_modinput.py:log_info:295 | Retrieving subscribed pulses since: 2025-04-08 10:56:19.897881
2025-04-08 13:58:00,039 INFO pid=426392 tid=MainThread file=setup_util.py:log_info:117 | Proxy is not enabled!
2025-04-08 13:58:00,268 INFO pid=426392 tid=MainThread file=base_modinput.py:log_info:295 | Completed polling. Logged 0 pulses and 0 indicators.

Hi @livehybrid 

curl request returns results but no data can be pulled to the OTX index.

Additionally, according to your experience, which server would be more beneficial to install the OTX application on the Splunk Cluster side? (Ex: master, deploy, forwarder, indexer, etc.)

@tolgaakkapulu 

We need to install the add-on on the heavy forwarder to configure the data inputs. This allows the heavy forwarder to collect and forward data to the indexers. The same add-on should be installed on the search heads to enable search-time parsing. Most add-ons should be installed on BOTH the HF/indexer and the search head.  That's because they often have some properties that apply at index time and others that apply at search time.

Where to install Splunk add-ons - Splunk Documentation

NOTE: If your first Splunk Enterprise instance is a Heavy Forwarder (HF), install the add-on there for data parsing and configuring data inputs.  And if there's no Heavy Forwarder (HF) in your environment and you need to configure the add-on's data input, install the add-on on the search head and set up the data input there.

Hi @tolgaakkapulu 

I would probably install this on a heavy forwarder.

Since the curl request worked we can pretty much accept that your API key and connectivity works.

Were you able to see the date/time on one of the events returned from the curl request (It would be in the modified field)? Was this within the time period of the your "Backfill days" for the input you configured? 

🌟 Did this answer help you? If so, please consider:

• Adding karma to show it was useful
• Marking it as the solution if it resolved your issue
• Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

@livehybrid  Thank you for feedback. Yes, each result is dated today.

For example:

"modified":"2025-04-08T10:52:59.705000",
"created":"2025-04-08T10:51:32.650000",

And, definition of Backfill days: 30

@tolgaakkapulu 

Im afraid I'm a little stuck here too...as it sounds like its configured correctly and you've confirmed the data coming back, the backfill and connection etc.

If you're feeling adventurous you could modify the Python in the app to add more logging, to see if that helps!

In $SPLUNK_HOME/etc/apps/TA-otx/bin/input_module_otx.py find the following section of code:

    response = helper.send_http_request(
      'https://otx.alienvault.com/api/v1/pulses/subscribed',
        'GET',
        parameters = {'modified_since' : since },
        headers = { 'X-OTX-API-KEY' : api_key },
        verify=True,
        use_proxy=True
    )

    response.raise_for_status()

    pulses = response.json()['results']

Replace it with:

    response = helper.send_http_request(
      'https://otx.alienvault.com/api/v1/pulses/subscribed',
        'GET',
        parameters = {'modified_since' : since },
        headers = { 'X-OTX-API-KEY' : api_key },
        verify=True,
        use_proxy=True
    )
    helper.log_info("modified_since: %s" % str(since))

    response.raise_for_status()
    respData = response.json()
    helper.log_info("Response from request")
    helper.log_info(respData)
    pulses = respData['results']

Then disable and re-enable the input and check the logs to see if it gives any more insight!

🌟 Did this answer help you? If so, please consider:

• Adding karma to show it was useful
• Marking it as the solution if it resolved your issue
• Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

@tolgaakkapulu 

Why would you create an index on the HF? This is plain wrong. A HF is supposed to receive/fetch the data and forward it to the next tier (usually indexer but can be an intermediate forwarder). It's not supposed to do local indexing.

@PickleRickThe index needs to be created on the Heavy Forwarder (HF) so it can be selected in the data input configuration. There's no requirement to store data on the HF unless indexAndForward=true is explicitly set. This is mainly for naming consistency within the GUI.

Yes. Only if you're using GUI to configure the input. Even then it's not really necessary. You can define input to set any destination index and then manually edit input.conf (or use REST to update the input).

Incase it helps @tolgaakkapulu you do *not* need to create the index on the HF - this app has allows you to type in a chosen index name rather than select from a static list.

🌟 Did this answer help you? If so, please consider:

• Adding karma to show it was useful
• Marking it as the solution if it resolved your issue
• Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing