Thanks again for your assistance with troubleshooting this! ... View more

Hm, I am a bit confused as I have input the top_level_url in /local/nwsdk_query.conf. I am able to curl the URL with no issues. [rest] URL for RSA Security Analytics Concentrator/Broker REST interface, including username and password On older versions the REST API is not enabled by default please see RSA Security Analytics support portal for instructions on how to enable it top_level_url=http://10.0.0.0:50103/ username=admin password=netwitness File containing the last sessionid processed, to avoid generating duplicates last_mid_file=/opt/splunk/etc/apps/netwitness_query/local/last_mid.query Query to execute Currently no checks are performed for correct query syntax Make sure the select part should either be 'select *' or at least include time and sessionid meta keys query=select time,sessionid,ip.src,ip.dst,service,alias.host,tcp.dstport,udp.dstport where service=80 query=select * where alert exists query=select time,sessionid,ip.src,ip.dst,service,alias.host,tcp.dstport,udp.dstport where risk.info='http direct to ip request' -- Advanced Configuration Settings -- Maximum number of meta to pull max_meta=2500 Sleep time in seconds between main loop queries (defaults to 5 seconds if not defined) sleep=5 Include "No data to process" messages in STDERR - Customer Feature - Default is True verbose=True ... View more

Hi Rui, I ran the script and received the below error. I also tried while hardcoding the credentials in the script with no luck. ./splunk cmd python /opt/splunk/etc/apps/netwitness_query/bin/nwsdk_query.py 2017-Mar-02 01:19:01 - ERROR: Couldn't read TOP_LEVEL_URL from nwsdk_query.conf. ... View more

Thanks for the response! ... View more