I've downloaded Splunk Add on for Tenable and Tenable App for Splunk, and I can see data in the "tenable" index. However, the data is being stored as sourcetype="tenable:sc:plugin," though the Tenable app's built in dashboards query for data as sourcetype="tenable:sc:vuln". Am I configuring incorrectly?
Hi @mgao,
I think you have to update get_tenable_index
macro. Right now current macro is considering default
index. So you have to update it.
Create macros.conf
in the local
folder and add the following content.
[get_tenable_index]
definition = (index="tenable")
description = Define the name of index for input. e.g. index="tenable"
Please check the following link for more info:
https://docs.tenable.com/other/TenableAppsforSplunk.pdf
Thanks
Hi @mgao,
Did you get the chance to try this solution?
Hi @kamlesh_vaghela,
The index was already specified as "tenable." I ended up fixing an SSL certificate error and was able to get the vuln data I was looking for.