Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk for Enterprise Security 3.2: Why is lookup threatlist_names.csv not populated correctly?

gstefan
Engager
‎11-25-2014 07:17 AM

Hi,

My installation is downloading threat lists correctly, but lookup threatlist_names.csv is not populated correctly. Search "| rest /services/data/inputs/threatlist" produces no results even though when I go to splunk:8089:/services/data/inputs/threatlist it looks correct.
It seems that my installation is not working at all.

Regards

Reply
1 Solution
Solved! Jump to solution
Solution

jakewalter
Explorer
‎02-11-2015 10:26 AM

I was able to solve this by adding splunk_server=local to the Threalists - Threatlist Inventory - Lookup Gen scheduled search in SA-ThreatIntelligence, so the full search would look like this:

| rest /services/data/inputs/threatlist splunk_server=local | where target="threatlist" AND disabled=0 | rename title as name | table name weight | outputlookup threatlist_names

View solution in original post

Reply
Solved! Jump to solution
Solution

jakewalter
Explorer
‎02-11-2015 10:26 AM

I was able to solve this by adding splunk_server=local to the Threalists - Threatlist Inventory - Lookup Gen scheduled search in SA-ThreatIntelligence, so the full search would look like this:

| rest /services/data/inputs/threatlist splunk_server=local | where target="threatlist" AND disabled=0 | rename title as name | table name weight | outputlookup threatlist_names
Reply
Solved! Jump to solution

chris
Motivator
‎02-17-2015 01:39 AM

I had the same issue. I also had to manually edit the Threat List Audit View (/app/SplunkEnterpriseSecuritySuite/threat_list_audit) and add a splunk_server=local to the searches that use the rest command.

0 Karma
Reply
Solved! Jump to solution

hexx
Splunk Employee
Splunk Employee
‎04-11-2015 09:23 AM

Just curious but did these issues happen after setting up the Distributed Management Console in distributed mode on your ES search-head?

0 Karma
Reply
Solved! Jump to solution

niemesrw
Path Finder
‎02-26-2016 07:46 PM

I had a similar issue - my notable_owners weren't being built b/c the | rest command returns something different than browsing to the SH via normal restful interface. I reset the DMC and all is well again. Thanks!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...