All Apps and Add-ons

Tenable Add-on for Splunk vs. Splunk Add-on for Tenable

a212830
Champion

Splunk recently announced that they were no longer going to support their add-on for Tenable Nessus data, and recommended using Tenables own add-on for Splunk. I installed the add-on, but I'm seeing huge differences in event counts for the vuln sourcetype, with the Tenable one generating more than twice the amount of events. Has anyone run into this? Also, is there a way to disable the asset and plugin data from being collected?

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Are you sure you disabled the old one first? The uneducated question of mine is to make sure you aren't seeing double because the two are still running in parallel. After that, I'd sanity check that there's no remaining configs (btool) deployed before installing the new one. Then I'd use stats to check for duplicates: | stats count BY _raw, _time <- that's a beast of a search so don't do it for a long time period.

0 Karma
Get Updates on the Splunk Community!

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

&#x1f48c;Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...