All Apps and Add-ons

Tenable Add-on: configuration and authentication was successful but index has no events.


I have the Tenable apps installed and configured but no data is being pulled from SecurityCenter. The Security Manager account configured reports a successful login from Splunk but events in the index remains zero.

The following configuration items are used:

== Configuration: Account Name ==
- Verify SSL Certificate is disabled

== indexes ==
- App: TA-Tenable

== advanced search: search macros ==
- (index="tenable")

What could I be missing?

Any help appreciated!


Have you checked the TA logs?
index="_internal" source="*ta_tenable*"

0 Karma


I can notice the /vulns/export endpoint doesn't return any result (even via 'curl' command)

From TA logs:
DEBUG pid=59172 tid=MainThread | "POST /vulns/export HTTP/1.1" 200 None

Tenable support says '/vulns/export' endpoint is no longer in user. Any help will be appreciable.

0 Karma


vulns/export is very much still used across all of our integrations. This api only returns a uuid that we use to check the status of the data to be pulled and finally we use a chunks endpoint to pull the actual results we get. This log shows that the request returned a 200 so it is working as expected.

0 Karma


This is from ta_tenable_tenable_io.log (in chronological order). I don't see any errors. But no data is indexed.

 2019-02-13 13:55:51,110 | Tenable debug: Setting up session.
2019-02-13 13:55:51,110 | Tenable debug: Setting max retries to: 3
2019-02-13 13:55:51,111 | Tenable debug: Setting requests ssl verify to: True
2019-02-13 13:55:51,111 | Tenable Debug: check point name:
2019-02-13 13:55:51,112 | GET request to (body: {})
2019-02-13 13:55:51,117 | "GET /servicesNS/nobody/TA-tenable/storage/collections/config/TA_tenable_checkpointer HTTP/1.1" 200 5326
2019-02-13 13:55:51,118 | GET request to (body: {'offset': 0, 'search': 'TA_tenable_checkpointer', 'count': -1})
2019-02-13 13:55:51,122 | "GET /servicesNS/nobody/TA-tenable/storage/collections/config/?offset=0&search=TA_tenable_checkpointer&count=-1 HTTP/1.1" 200 4524
2019-02-13 13:55:51,124 | GET request to (body: {})
2019-02-13 13:55:51,126 | "GET /servicesNS/nobody/TA-tenable/storage/collections/data/TA_tenable_checkpointer/ HTTP/1.1" 200 101
2019-02-13 13:55:51,127 | Tenable Debug: check point state returned: {u'since': 1550022951}
2019-02-13 13:55:51,131 | Starting new HTTPS connection (1):
2019-02-13 13:55:52,189 | "POST /vulns/export HTTP/1.1" 200 None
2019-02-13 13:55:52,191 | Tenable debug: response OK http_status code: 200
2019-02-13 13:55:52,191 | Tenable Debug: GET URL:
2019-02-13 13:55:52,191 | Tenable Debug: GET PARMS: None
2019-02-13 13:55:52,669 | "GET /vulns/export/51d2af32-baf9-4aa0-886d-73412a093dfd/status HTTP/1.1" 200 None
2019-02-13 13:55:52,670 | Tenable debug: response OK http_status code: 200
2019-02-13 13:55:52,670 | POST request to (body: {'body': '[{"state": "{\\"since\\": 1550026551}", "_key": ""}]'})
2019-02-13 13:55:52,702 | "POST /servicesNS/nobody/TA-tenable/storage/collections/data/TA_tenable_checkpointer/batch_save HTTP/1.1" 200 35
0 Karma


Please create a support ticket with tenable so we can help track down the issue. The only other thing i would recommend is expanding you search window as we index/store all vuln data based on first seen date so searching is a bit different than if we duplicated all data daily.

0 Karma


Thanks. A Tenable Case #00755880 has been raised already. No luck so far. As you suggested I have searched the index with 'All Time' as time range. Still no data.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...