All Apps and Add-ons

Unable to see vulnerability and asset data in Rapid7 App for Splunk Enterprise



We recently configured Rapid7 App on a Search Head. Configuration is pointed to the Nexpose console IP on the default port of 3780. A non-admin user is used for connection to Nexpose. This user has access to all sites/groups.

After letting the nexpose_setup script run for some time, the only two items getting updated slowly in the dashboard are Total Assets & Total Vulnerabilities. Rest of the dashboard is blank. Noticed that under nexpose_setup.conf, hostname field was still left to “localhost”, but changing that to console IP did not make any difference.

Following is repeated in rapid7.log

2016-05-25 10:00:00,675 INFO    nexpose_reports:65 - Platform is Linux or Mac
2016-05-25 10:00:00,675 INFO    nexpose_reports:70 - Splunk home is </opt/splunk>. Save directories are: </opt/splunk/etc/apps/rapid7/lookups/>, </opt/splunk/etc/apps/rapid7/lookups/vuln_cim_lookups/>, </opt/splunk/etc/apps/rapid7/lookups/asset_cim_lookups/>
2016-05-25 10:00:00,675 INFO    nexpose_reports:74 - Created save directory successfully!
2016-05-25 10:00:00,676 INFO    nexpose_reports:84 - Created vulnerability save directory successfully!
2016-05-25 10:00:00,676 INFO    nexpose_reports:94 - Created asset save directory successfully!
2016-05-25 10:00:01,379 INFO    nexpose_setup:34 - Executing
2016-05-25 10:00:01,725 INFO    nexpose_setup:34 - Executing
2016-05-25 10:00:02,188 INFO    nexpose_setup:34 - Executing
2016-05-25 10:00:02,226 INFO    nexpose_reports:163 - Nexpose application enabled. Continuing...
2016-05-25 10:19:44,705 INFO    __init__:168 - Using default logging config file: /opt/splunk/etc/log.cfg
2016-05-25 10:19:44,709 INFO    __init__:206 - Setting logger=splunk level=INFO
2016-05-25 10:19:44,709 INFO    __init__:206 - Setting logger=splunk.appserver level=INFO
2016-05-25 10:19:44,709 INFO    __init__:206 - Setting logger=splunk.appserver.controllers level=INFO
2016-05-25 10:19:44,710 INFO    __init__:206 - Setting logger=splunk.appserver.controllers.proxy level=INFO
2016-05-25 10:19:44,710 INFO    __init__:206 - Setting logger=splunk.appserver.lib level=WARN
2016-05-25 10:19:44,711 INFO    __init__:206 - Setting logger=splunk.pdfgen level=INFO
2016-05-25 10:19:44,711 INFO    setup:29 - Executing
2016-05-25 10:38:36,068 INFO    nexpose_setup:34 - Executing
2016-05-25 10:38:36,368 INFO    nexpose_setup:34 - Executing
2016-05-25 10:38:36,704 INFO    nexpose_setup:34 - Executing
2016-05-25 10:38:37,013 INFO    nexpose_setup:34 - Executing
2016-05-25 10:38:37,412 INFO    nexpose_setup:34 - Executing
2016-05-25 10:38:37,865 INFO    nexpose_setup:34 - Executing

Any ideas on what I could have missed? Does this need an admin account on Nexpose?


~ Abhi

0 Karma


While I run Splunk on Windows the output should be the same. Is there data in $SPLUNKHOME/etc/apps/rapid7/lookups?

0 Karma


Hi windbishn,

Thanks for the response. It is working now.. it seems that Admin credentials are needed for it to be able to query database correctly.

We changed the credentials to one with admin privileges and now we could see queries being (rapid7.log) and data is also getting populated. We try to keep admin accounts in the console to the bare minimum required.. but looks like there is no other option here. and i dont think there is any option to create a non-interactive admin account, which cannot be used to login to UI but can still query DB if needed.



0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!


Or Learn More in Our Blog >>