Hm, I am a bit confused as I have input the top_level_url in /local/nwsdk_query.conf. I am able to curl the URL with no issues.
[rest]
URL for RSA Security Analytics Concentrator/Broker REST interface, including username and password
On older versions the REST API is not enabled by default please see RSA Security Analytics support portal for instructions on how to enable it
top_level_url=http://10.0.0.0:50103/
username=admin
password=netwitness
File containing the last sessionid processed, to avoid generating duplicates
last_mid_file=/opt/splunk/etc/apps/netwitness_query/local/last_mid.query
Query to execute
Currently no checks are performed for correct query syntax
Make sure the select part should either be 'select *' or at least include time and sessionid meta keys
query=select time,sessionid,ip.src,ip.dst,service,alias.host,tcp.dstport,udp.dstport where service=80
query=select * where alert exists
query=select time,sessionid,ip.src,ip.dst,service,alias.host,tcp.dstport,udp.dstport where risk.info='http direct to ip request'
-- Advanced Configuration Settings --
Maximum number of meta to pull
max_meta=2500
Sleep time in seconds between main loop queries (defaults to 5 seconds if not defined)
sleep=5
Include "No data to process" messages in STDERR - Customer Feature - Default is True
verbose=True
... View more