- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Splunk Enterprise Security: How to troubleshoot wh...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Enterprise Security: How to troubleshoot why the threat_activity index is no longer populating with data?
The threat_activity index isn't populating anymore, and to be honest, I'm not sure how it's supposed to populate. There's a scheduled search in particular - Threat - Source And Destination Matches - Threat Gen that runs every 30 minutes and I believe it save its results into this index. However, it recently stopped. Does anyone know how this search is supposed to populate the threat_activity index? It doesn't have a summary index configured.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you look at the configuration for "Threat - Source And Destination Matches - Threat Gen" in savedsearches.conf, you should be able to see this "action.threat_activity=1" which is a reference to “alert_actions.conf” in DA-ESS-ThreatIntelligence app which has [threat_activity] stanza. It is a reference to call that alert action
If you look at this stanza in alert_actions.conf, you can see that it is "summaryindex" ing to threat_activity index (highlighted)
Please note "summaryindex" is an alias to "collect" command.
The part where summaryindex command is present in "threat_activity" alert action is given below.
| summaryindex spool=t uselb=t addtime=t index="$action.threat_activity._name{required=yes}$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A modification to a Gen search in GUI could cause a empty stanza in DA-ESS-ThreatIntelligence/local/savedsearch.conf such as alert.suppress.fields =
Check your savedsearches.conf in local and remove the wrong options.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not an expert on this app, but I think the summarizing part is defined in alert_actions.conf. The stanza in savedsearches.conf should have a setting like action.<name> = 1 and the corresponding summarization is handled in the alert_actions file. This lets multiple searches reuse the same alert throttling logic.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
