Hi All,
I have installed the free Splunk version. I am trying to upload lookups, but I don't seem to have that capability. I have downloaded "CVE Lookup - By Fuzzmymind.com" app, but cant use it because its asking me to fill the below... I don't what these fields mean. Anybody out there know?
This view comes from the setup.xml that is shipped with the app. The author is asking you to set the index, interval, and disabled attributes for the scripted input they have packaged with this app.
<block title="Configure the scripted input" endpoint="data/inputs/script" entity=".%252Fbin%252Fmain.py">
See the data/inputs/script documentation in the REST reference guide or the inputs.conf.spec file in the docs about what these parameters mean. (you may also check out the inputs.conf file and the python script that are shipped with the app by default).
(Giving a quick glance at the main.py script... this app is hardcoded to retrieve the 3 years that it retrieves, and does no checkpointing (there's , so you'll wind up with duplicates if you run it more than once, but the feeds that it's pulling can be updated once a day... The author seemed to also want to cut out the configurations information from each vulnerability as well. Guess it depends on your use case for the data.)
Thanks for the information. I will read up on it. What I actually needed to get was the Lookup Editor App which worked like a charm... Here is the link for the app:
https://splunkbase.splunk.com/app/1724/