- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search Factory: Unknown search command 'vt'.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Team,
We have installed Virus Total Checker app as well as Enterprise Security Suite App in our Search Head server. When we tried to search a query with vt field under Search and Reporting we can able to get an output. But when we go to Enterprise Security Apps and from there when we tried to search the same query it throws an error as "Search Factory: Unknown search command 'vt'. Not sure where the issue and moreover both the apps have been installed in the same search head server and also the permissions have been granted for the apps to receive data from other apps too. But still when we tried to search a data in Enterprise Security App with vt command it throws an error as Search Factory: Unknown search command 'vt'.
Kindly check and help on this request.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VT command seems to be part of Virus Total Checker app with app level permission.
If you want to use it in ES, please change the permission of the command and it should work. For updating command permission go to $SPLUNK_HOME/etc/apps/(Virus Tracker)/metadata/default.meta and update the permission.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VT command seems to be part of Virus Total Checker app with app level permission.
If you want to use it in ES, please change the permission of the command and it should work. For updating command permission go to $SPLUNK_HOME/etc/apps/(Virus Tracker)/metadata/default.meta and update the permission.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Already it has been provided with read permission but still facing the same error.
default.meta local.meta
-bash-4.1$ cat default.meta
[]
access = read : [ * ], write : [ admin, power ]
export = system
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can anyone kindly help to fix it asap
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There seems to be some problem with the file permission in virustotalchecker app. I was able to repro the error you are facing. The vt command was working if I open search within all other app context except Enterprise Security. I tried to compare it with different app with custom command but couldn't find any solution. Then I had downloaded TA-CMX app (https://splunkbase.splunk.com/app/3496/) which has custom command "cmxfloorinfo". This command was working with the ES app as well. I copied virustotalchecker.py file to TA-CMX/bin/ folder and added stanza for command vt into TA-CMX/default/commands.conf. After restart, vt command worked with ES as well.
Not sure what's the problem with virustotalchecker app .
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks alot... It worked as expected.... But as you said we cant able to trace out the exact problem with virustotalchecker app
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can anyone help on my query.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
