Thanks again for your assistance with troubleshooting this!

Hm, I am a bit confused as I have input the top_level_url in /local/nwsdk_query.conf. I am able to curl the URL with no issues.

[rest]

URL for RSA Security Analytics Concentrator/Broker REST interface, including username and password

On older versions the REST API is not enabled by default please see RSA Security Analytics support portal for instructions on how to enable it

top_level_url=http://10.0.0.0:50103/
username=admin
password=netwitness

File containing the last sessionid processed, to avoid generating duplicates

last_mid_file=/opt/splunk/etc/apps/netwitness_query/local/last_mid.query

Query to execute

Currently no checks are performed for correct query syntax

Make sure the select part should either be 'select *' or at least include time and sessionid meta keys

query=select time,sessionid,ip.src,ip.dst,service,alias.host,tcp.dstport,udp.dstport where service=80

query=select * where alert exists

query=select time,sessionid,ip.src,ip.dst,service,alias.host,tcp.dstport,udp.dstport where risk.info='http direct to ip request'

-- Advanced Configuration Settings --

Maximum number of meta to pull

max_meta=2500

Sleep time in seconds between main loop queries (defaults to 5 seconds if not defined)

sleep=5

Include "No data to process" messages in STDERR - Customer Feature - Default is True

verbose=True

I'm wondering if there's a permissions issue or a problem with the filename... that is causing the access to it to fail. But it's even stranger as it should at least read the one in the default directory...

The library being used is Splunk's default library to process configuration files that would merge default and local files with the same name.

My email is the code if you prefer to reach out to me directly with file details and directory listings or other more sensitive information, please feel free to use it.

Thank you,

Rui