If this scripted input isn't working, then the data in question is not in the index = checkpoint_lea, so it is not indexed yet. Is the certificate from the checkpoint management station in the path ./certs ? and named SplunkLEA.p12? Can you test network communication on port 18185 between the splunk server and the management station? You should be able to look on the checkpoint management station and verify that you see successful logons from Splunk. you need to verify that you have the correct opsec_entity_sic_name and opsec_sic_name. I remember their being some library dependencies that the script required as well. You can manually run the script from the operating system of the splunk server to verify the it operates correctly. You should also verify that the /etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh file exists or not, because that is what this error is complaining about.
... View more