Splunk recently announced that they were no longer going to support their add-on for Tenable Nessus data, and recommended using Tenables own add-on for Splunk. I installed the add-on, but I'm seeing huge differences in event counts for the vuln sourcetype, with the Tenable one generating more than twice the amount of events. Has anyone run into this? Also, is there a way to disable the asset and plugin data from being collected?
Are you sure you disabled the old one first? The uneducated question of mine is to make sure you aren't seeing double because the two are still running in parallel. After that, I'd sanity check that there's no remaining configs (btool) deployed before installing the new one. Then I'd use stats
to check for duplicates: | stats count BY _raw, _time
<- that's a beast of a search so don't do it for a long time period.