All Apps and Add-ons

Splunk Add-on for Tenable: How to correctly filter events to nullQueue from Tenable?

adamsmith47
Communicator

Hello,

My environment uses Nessus for vulnerability scanning, and we are importing the results of those scans via the Splunk Add-on for Tenable, here: https://splunkbase.splunk.com/app/1710/#/overview The events are correctly being indexed into Splunk.

However, approximately 90% of the events generated from the Nessus scans are "Informative", which we do not wish to index into Splunk.

I've added a TRANSFORMS in the props.conf and a stanza in transforms.conf to find the appropriate "Informative" events with a regex, and discard them using the queue nullQueue, but, I have been unsuccessful in filtering out "Informative" events from new scans results as they are being indexed.

The Splunk Add-on for Tenable is installed on a heavy forwarder. I have attempted both having the props and transforms on the heavy forwarder, and having them on the indexers. Neither has worked as I intended. See added props and transforms below:

props.conf

[tenable:sc:vuln]
#To remove "severity = informative" events from being logged in to Splunk, to reduce events
TRANSFORMS-null= tenable_remove_severity_informative

transforms.conf

#To remove "severity = informative" events from being logged in to Splunk, to reduce events
[tenable_remove_severity_informative]
REGEX ="severity":\s\{(?:"name"|"description"|"id"):\s(?:"Info"|"Informative"|"0"),\s(?:"name"|"description"|"id"):\s(?:"Info"|"Informative"|"0"),\s(?:"name"|"description"|"id"):\s(?:"Info"|"Informative"|"0")\}
DEST_KEY = queue
FORMAT = nullQueue

I've tried other, simplier, regex terms (thinking maybe it was just a regex problem), but, I'm nearly certain I've eliminated that as a possibly. When I copy/paste the above regex to test again the logs, it correctly finds the text I'm looking for.

Any advise is greatly appreciated! Thank you!

1 Solution

adamsmith47
Communicator

I don't know why, but, after I replaced

TRANSFORMS-null= tenable_remove_severity_informative

with

TRANSFORMS = tenable_remove_severity_informative

It started working. Not sure why I had to omit the namespace.

View solution in original post

0 Karma

adamsmith47
Communicator

I don't know why, but, after I replaced

TRANSFORMS-null= tenable_remove_severity_informative

with

TRANSFORMS = tenable_remove_severity_informative

It started working. Not sure why I had to omit the namespace.

0 Karma
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...