Re: Tenable App for Splunk: why can't I get data u...

mgao · ‎07-05-2018

I've downloaded Splunk Add on for Tenable and Tenable App for Splunk, and I can see data in the "tenable" index. However, the data is being stored as sourcetype="tenable:sc:plugin," though the Tenable app's built in dashboards query for data as sourcetype="tenable:sc:vuln". Am I configuring incorrectly?

kamlesh_vaghela · ‎07-06-2018

Hi @mgao,

I think you have to update get_tenable_index macro. Right now current macro is considering default index. So you have to update it.

Create macros.conf in the local folder and add the following content.

[get_tenable_index]
definition = (index="tenable")
description = Define the name of index for input. e.g. index="tenable"

Please check the following link for more info:
https://docs.tenable.com/other/TenableAppsforSplunk.pdf

Thanks

kamlesh_vaghela · ‎07-16-2018

Hi @mgao,

Did you get the chance to try this solution?

mgao · ‎07-16-2018

Hi @kamlesh_vaghela,

The index was already specified as "tenable." I ended up fixing an SSL certificate error and was able to get the vuln data I was looking for.

Tenable App for Splunk: why can't I get data under "tenable:sc:vuln" sourcetype?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!