11-13-2015 08:20:42.654 +0300 ERROR LookupOperator - The lookup table 'nessus_plugin_lookup' does not exist. It is referenced by configuration 'nessus_vuln'. 11-13-2015 08:20:42.654 +0300 WARN LookupOperator - Failed to find static lookup file: nessus_plugin_lookup.csv
I received this error. TA - 1.0.6BETA.
I had this error until I created empty files for:
by typing "touch nessus_scans.csv" and "touch nessus_plugin_lookup.csv" in the splunk/etc/apps/TA-nessus/lookups directory
Try running an all-time search over sourcetype=nessus_vuln. Do you see any events? If the dashboards are empty, that probably means you have no indexed scan data.
Note: The user account that Splunk is using to log in to your Nessus scanner must be the same user that ran the scans.
EDIT: Sorry, I wrote index=nessus instead of sourcetype=nessus_vuln
I see new data in index=nessus. But in app it is empty. For an example I take request:
tag=vulnerability tag=report report_id=* severity=* NOT severity=informational | chart count over dest by severity | sort -count limit=10 | rename low as Low, medium as Medium, high as High, critical as Critical
It is in reply empty
Then I modify request (del severity and add index=nessus)
index=nessus tag=vulnerability tag=report report_id=* | chart count over dest by severity | sort -count limit=10 | rename low as Low, medium as Medium, high as High, critical as Critical
I obtain data.
Is the severity field "informational" in all of your Nessus scan results? The Hurricane Labs App for Vulnerability Management doesn't display informational scan results in its dashboards.