All Apps and Add-ons

Tenable Add-on for Splunk vs. Splunk Add-on for Tenable


Splunk recently announced that they were no longer going to support their add-on for Tenable Nessus data, and recommended using Tenables own add-on for Splunk. I installed the add-on, but I'm seeing huge differences in event counts for the vuln sourcetype, with the Tenable one generating more than twice the amount of events. Has anyone run into this? Also, is there a way to disable the asset and plugin data from being collected?

0 Karma

Ultra Champion

Are you sure you disabled the old one first? The uneducated question of mine is to make sure you aren't seeing double because the two are still running in parallel. After that, I'd sanity check that there's no remaining configs (btool) deployed before installing the new one. Then I'd use stats to check for duplicates: | stats count BY _raw, _time <- that's a beast of a search so don't do it for a long time period.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!