All Apps and Add-ons

Tenable Add-on: configuration and authentication was successful but index has no events.


I have the Tenable apps installed and configured but no data is being pulled from SecurityCenter. The Security Manager account configured reports a successful login from Splunk but events in the index remains zero.

The following configuration items are used:

== Configuration: Account Name ==
- Verify SSL Certificate is disabled

== indexes ==
- App: TA-Tenable

== advanced search: search macros ==
- (index="tenable")

What could I be missing?

Any help appreciated!


Have you checked the TA logs?
index="_internal" source="*ta_tenable*"

0 Karma


I can notice the /vulns/export endpoint doesn't return any result (even via 'curl' command)

From TA logs:
DEBUG pid=59172 tid=MainThread | "POST /vulns/export HTTP/1.1" 200 None

Tenable support says '/vulns/export' endpoint is no longer in user. Any help will be appreciable.

0 Karma


vulns/export is very much still used across all of our integrations. This api only returns a uuid that we use to check the status of the data to be pulled and finally we use a chunks endpoint to pull the actual results we get. This log shows that the request returned a 200 so it is working as expected.

0 Karma


This is from ta_tenable_tenable_io.log (in chronological order). I don't see any errors. But no data is indexed.

 2019-02-13 13:55:51,110 | Tenable debug: Setting up session.
2019-02-13 13:55:51,110 | Tenable debug: Setting max retries to: 3
2019-02-13 13:55:51,111 | Tenable debug: Setting requests ssl verify to: True
2019-02-13 13:55:51,111 | Tenable Debug: check point name:
2019-02-13 13:55:51,112 | GET request to (body: {})
2019-02-13 13:55:51,117 | "GET /servicesNS/nobody/TA-tenable/storage/collections/config/TA_tenable_checkpointer HTTP/1.1" 200 5326
2019-02-13 13:55:51,118 | GET request to (body: {'offset': 0, 'search': 'TA_tenable_checkpointer', 'count': -1})
2019-02-13 13:55:51,122 | "GET /servicesNS/nobody/TA-tenable/storage/collections/config/?offset=0&search=TA_tenable_checkpointer&count=-1 HTTP/1.1" 200 4524
2019-02-13 13:55:51,124 | GET request to (body: {})
2019-02-13 13:55:51,126 | "GET /servicesNS/nobody/TA-tenable/storage/collections/data/TA_tenable_checkpointer/ HTTP/1.1" 200 101
2019-02-13 13:55:51,127 | Tenable Debug: check point state returned: {u'since': 1550022951}
2019-02-13 13:55:51,131 | Starting new HTTPS connection (1):
2019-02-13 13:55:52,189 | "POST /vulns/export HTTP/1.1" 200 None
2019-02-13 13:55:52,191 | Tenable debug: response OK http_status code: 200
2019-02-13 13:55:52,191 | Tenable Debug: GET URL:
2019-02-13 13:55:52,191 | Tenable Debug: GET PARMS: None
2019-02-13 13:55:52,669 | "GET /vulns/export/51d2af32-baf9-4aa0-886d-73412a093dfd/status HTTP/1.1" 200 None
2019-02-13 13:55:52,670 | Tenable debug: response OK http_status code: 200
2019-02-13 13:55:52,670 | POST request to (body: {'body': '[{"state": "{\\"since\\": 1550026551}", "_key": ""}]'})
2019-02-13 13:55:52,702 | "POST /servicesNS/nobody/TA-tenable/storage/collections/data/TA_tenable_checkpointer/batch_save HTTP/1.1" 200 35
0 Karma


Please create a support ticket with tenable so we can help track down the issue. The only other thing i would recommend is expanding you search window as we index/store all vuln data based on first seen date so searching is a bit different than if we duplicated all data daily.

0 Karma


Thanks. A Tenable Case #00755880 has been raised already. No luck so far. As you suggested I have searched the index with 'All Time' as time range. Still no data.

0 Karma
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...