Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Import from Splunk Tenable data takes long
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Import from Splunk Tenable data takes long
Everything works fine with the import. But it takes a long time to import all my data via API into Splunk.
Per 15min approximitly 1000 new Events after the scan is finished. So if I have about 600'000 Scan-Events it takes almost a week.
Is this normal? Where can I improve it?
Any idea? I can't find any errors in the log.
thanks for helping.
Ben
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Importing scans from Security Center is time consuming, but in theory, once you are up to date, its only the delta your importing on each run - unless your saying you have 600,00 results per scan?
If you don't need to import all events you can change the window from which Splunk will read from the API.
From time-time the Nessus scripts fall over, and I have to restart them - When I do so, i tend to bring the window forward (until just before it stopped) This keeps the delay down.
Another problem I have is that importing large numbers of events with the same time stamp (because that's how nessus does it), I get the following at search:
[indexerName] Events may not be returned in sub-second order due to search memory limits configured in limits.conf:[search]:max_rawsize_perchunk. See search.log for more information.
I suspect this has similar performance implications at index time too, which may well be contributing to the slow import. times.
Sadly, in my experience this is normal, and I have not found a way to improve it. (yet)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your answer and very sorry for my delay.
We don't use the security center, we use the api of the Nessus Professional v6.
Do you have any idea why we get all the Events every time..? Is there some kind of option?
The second problem does not occur, I guess because we only get 1000 Events per 15 min ;-).
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
