This repository has been archived by the owner on Jul 18, 2022. It is now read-only.

Splunk app eating forensics even if not successfully polled #132

Closed

wfg opened this issue May 11, 2021 · 0 comments

Assignees

Milestone

Collaborator

wfg commented May 11, 2021

sample-code/siem/splunk/twistlock/bin/poll_forensics.py

Lines 53 to 55 in 639d813

    
           except (requests.exceptions.RequestException, ValueError) as req_err: 
        
               logger.warning("Failed getting forensics for incidentID {} from profileID {}. Error: {}. Continuing.".format(incident["_id"], incident["profileID"], req_err)) 
        
               continue

This continues which leads to another pop(0), erasing the incident with the error.

Add the incident back to the file for retry later
Add field for number of retry attempts
Log successful ingestions

The text was updated successfully, but these errors were encountered:

wfg self-assigned this

wfg added this to the May H1 milestone

wfg closed this as completed in

c88a822

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.