All Apps and Add-ons

Tenable Add-on: configuration and authentication was successful but index has no events.


I have the Tenable apps installed and configured but no data is being pulled from SecurityCenter. The Security Manager account configured reports a successful login from Splunk but events in the index remains zero.

The following configuration items are used:

== Configuration: Account Name ==
- Verify SSL Certificate is disabled

== indexes ==
- App: TA-Tenable

== advanced search: search macros ==
- (index="tenable")

What could I be missing?

Any help appreciated!


Have you checked the TA logs?
index="_internal" source="*ta_tenable*"

0 Karma


I can notice the /vulns/export endpoint doesn't return any result (even via 'curl' command)

From TA logs:
DEBUG pid=59172 tid=MainThread | "POST /vulns/export HTTP/1.1" 200 None

Tenable support says '/vulns/export' endpoint is no longer in user. Any help will be appreciable.

0 Karma


vulns/export is very much still used across all of our integrations. This api only returns a uuid that we use to check the status of the data to be pulled and finally we use a chunks endpoint to pull the actual results we get. This log shows that the request returned a 200 so it is working as expected.

0 Karma


This is from ta_tenable_tenable_io.log (in chronological order). I don't see any errors. But no data is indexed.

 2019-02-13 13:55:51,110 | Tenable debug: Setting up session.
2019-02-13 13:55:51,110 | Tenable debug: Setting max retries to: 3
2019-02-13 13:55:51,111 | Tenable debug: Setting requests ssl verify to: True
2019-02-13 13:55:51,111 | Tenable Debug: check point name:
2019-02-13 13:55:51,112 | GET request to (body: {})
2019-02-13 13:55:51,117 | "GET /servicesNS/nobody/TA-tenable/storage/collections/config/TA_tenable_checkpointer HTTP/1.1" 200 5326
2019-02-13 13:55:51,118 | GET request to (body: {'offset': 0, 'search': 'TA_tenable_checkpointer', 'count': -1})
2019-02-13 13:55:51,122 | "GET /servicesNS/nobody/TA-tenable/storage/collections/config/?offset=0&search=TA_tenable_checkpointer&count=-1 HTTP/1.1" 200 4524
2019-02-13 13:55:51,124 | GET request to (body: {})
2019-02-13 13:55:51,126 | "GET /servicesNS/nobody/TA-tenable/storage/collections/data/TA_tenable_checkpointer/ HTTP/1.1" 200 101
2019-02-13 13:55:51,127 | Tenable Debug: check point state returned: {u'since': 1550022951}
2019-02-13 13:55:51,131 | Starting new HTTPS connection (1):
2019-02-13 13:55:52,189 | "POST /vulns/export HTTP/1.1" 200 None
2019-02-13 13:55:52,191 | Tenable debug: response OK http_status code: 200
2019-02-13 13:55:52,191 | Tenable Debug: GET URL:
2019-02-13 13:55:52,191 | Tenable Debug: GET PARMS: None
2019-02-13 13:55:52,669 | "GET /vulns/export/51d2af32-baf9-4aa0-886d-73412a093dfd/status HTTP/1.1" 200 None
2019-02-13 13:55:52,670 | Tenable debug: response OK http_status code: 200
2019-02-13 13:55:52,670 | POST request to (body: {'body': '[{"state": "{\\"since\\": 1550026551}", "_key": ""}]'})
2019-02-13 13:55:52,702 | "POST /servicesNS/nobody/TA-tenable/storage/collections/data/TA_tenable_checkpointer/batch_save HTTP/1.1" 200 35
0 Karma


Please create a support ticket with tenable so we can help track down the issue. The only other thing i would recommend is expanding you search window as we index/store all vuln data based on first seen date so searching is a bit different than if we duplicated all data daily.

0 Karma


Thanks. A Tenable Case #00755880 has been raised already. No luck so far. As you suggested I have searched the index with 'All Time' as time range. Still no data.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...