All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure the Qualys App for Splunk Enterprise for Kb lookup file in a distributed search environment?

rahul_jasrotia
Path Finder
‎11-23-2015 07:11 AM

Had few questions regarding this app, can anyone please help?

  1. In a distributed envt, I have installed this app on the forwarder. The index exists on the indexer and I'm able to see the data in the index on the search head when I search for index=qualys, but the lookup file qualys_kb lies on the forwarder, so I'm unable to see the lookup data on the search head. What to do in this case??

  2. Should we install the app on both Forwarder and Search head in this case?
    But i think it'll duplicate the indexed events, correct me if I'm wrong.

  3. And in case ans to above is true, then how do I disable the script for detection on the search head and only enable the kb populator script? Only enabling the kb populator script under Data inputs-> Scripts in search head isn't updating the lookup file on the search head.

Any pointers to the same are welcome.

Thanks
Rahul

0 Karma
Reply

nit123
Path Finder
‎06-24-2017 07:52 AM

TA should be installed on the forwarder and each of the search heads.
While all data inputs ( WAS, VM, KB ) should be enabled in TA on forwarder, only kb input should be enabled on search head.

Data for enabled inputs shall be forwarder to indexer and VM App and WAS app be installed on Search heads for reporting purposes. TA be installed on SH with only kb input enabled. disable vm and was in TA on search head.

This answers your point 1 and 2.

Regarding point 3 , the new version of TA has the intelligence to check where is the TA running on ? on SH or forwarder. Accordingly, the detection script shall run to populate data into Splunk.

Hope this clarifies your questions. If you need more assistance, feel free to reply back.

0 Karma
Reply

rahul_jasrotia
Path Finder
‎12-01-2015 01:43 AM

Does anyone has any clue for the same???????

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...