All Apps and Add-ons

Tenable Add-on for Splunk vs. Splunk Add-on for Tenable

a212830
Champion

Splunk recently announced that they were no longer going to support their add-on for Tenable Nessus data, and recommended using Tenables own add-on for Splunk. I installed the add-on, but I'm seeing huge differences in event counts for the vuln sourcetype, with the Tenable one generating more than twice the amount of events. Has anyone run into this? Also, is there a way to disable the asset and plugin data from being collected?

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Are you sure you disabled the old one first? The uneducated question of mine is to make sure you aren't seeing double because the two are still running in parallel. After that, I'd sanity check that there's no remaining configs (btool) deployed before installing the new one. Then I'd use stats to check for duplicates: | stats count BY _raw, _time <- that's a beast of a search so don't do it for a long time period.

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...