topic Re: Splunk custom index not getting incident in xsoar in Cortex XSOAR Discussions

Splunk custom index not getting incident in xsoar

Manikandan_sam — Sat, 12 Mar 2022 01:15:03 GMT

I am using splunk 60 day free trial non-enterprise edition and created a new custom index in splunk and manually added a sample event csv format file in the new index and all date is 2 days ago sample data

splunk integration with xsoar does not generate any incident, is there a configuration and timestamp problem?

Re: Splunk custom index not getting incident in xsoar

amore — Mon, 14 Mar 2022 21:45:03 GMT

Hi @Manikandan_sam , is this the first time you are configuring the XSOAR integration with Splunk? If yes, you may want to change the First fetch timestamp to 2 or 3 days, to capture incidents that were created before. If not, please check if certain incidents were missed while others were created, and open a support case with screenshots and logs.

Re: Splunk custom index not getting incident in xsoar

Manikandan_sam — Tue, 15 Mar 2022 07:51:45 GMT

yes this is my first time integrating splunk
that sample log file is a data day (March 3) for testing so I loaded it into splunk add data and created a custom index

example:

that the log file data is only from March 3rd and how to use timestamp lookup and I already use that custom query in splunk config

when i search xsoar cli !splunk-search query="index=notes" it shows index data and i can also parse the specific url and ip field in the playbook

So is this the proper method to use Splunk custom index to get all the data into xsoar?

Re: Splunk custom index not getting incident in xsoar

jgomes — Tue, 15 Mar 2022 15:07:58 GMT

Hello!
1. Please also try encapsulating the index name as per default example when creating new instance. eg.

search `notes` | expandtoken
2. Reset timestamp - unless you know you have new data coming in or within the look back windows (15mins by default)
3. Double check you you have latest content pack installed
4. double check time on your new system (sync with NTP)
5. You can debug a test fetch with: !<instance_name>-fetch debug-mode=true
reference - xsoar.pan.dev/docs/reference/articles/troubleshooting-guide
Please let us know how you go!

Re: Splunk custom index not getting incident in xsoar

Manikandan_sam — Fri, 18 Mar 2022 12:09:11 GMT

thank for the replay

I tried this query giving error search `notes` | expandtoken
if i use this query search index="notes" it works correctly but not show any data
my custom data is manually created (add data) uploaded csv file
i also reset the time but i still don't get it
yes content pack installed
yes new system (synchronization with NTP)
checked debug mode
my custom data is from 3rd March and time also different but i uploaded it today and 2 days ago my raw file is showing in cli command but when i changed settings again it shows empty index
how to change my timestamp and get data

Re: Splunk custom index not getting incident in xsoar

jgomes — Mon, 21 Mar 2022 15:11:10 GMT

The error indicates permission related to the Index or macro..
I do see you have the 'first fetch' look back to 3 months which should find data otherwise. If this was the first fetch.
I suggest testing the query in Splunk API directly and double check your API permissions.
https://docs.splunk.com/Documentation/Splunk/8.2.5/RESTTUT/RESTsearches

Do you get same error on your original search query without using expand token?

Perhaps try that again with larger window.. like 1 month+ to cover time the data datetime range

If XSOAR has fetched once already (the radio button for fetch in integration) then it will fetch the look back window once, then every minute (for the last minute) by default. Here you should delete instance and create a new one, so the first fetch goes back one month as configured. First use test to ensure no permission issues. Hope this helps.