All Apps and Add-ons

qualys_kb_lookup is suddenly empty

derjosh
New Member

Hi,

suddenly the qualys_kb_lookup is empty and

| inputlookup qualys_kb_lookup

does not return any results anymore.

Any ideas on how I can analyze/fix the issue? I am new to Splunk 😉

Thanks

0 Karma

btanjialih
Explorer

As stated on Splunkbase by the author in the release note:

"Error faced while parsing knowledgebase API response when CVSS data is missing in the response."

Updating the TA to the latest version should resolve this issue.

0 Karma

derjosh
New Member

Data input is configured

knowledge_base  30 * * * *  1999-01-01T00:00:00Z
0 Karma

derjosh
New Member

solved this issue, but still have no clue why this happend from one day to the other

/opt/splunk/etc/apps/TA-QualysCloudPlatform /opt/splunk/bin/splunk cmd python ./bin/run.py -k -s [apiserver] -u [user] -p [password]

Error message indicated an issue with CVSS VECTOR

https://answers.splunk.com/answers/711008/cvss-vector-string-field-error-qualys-ta.html helped here

0 Karma

vik_splunk
Communicator

We ran into the same issue and the issue was that Qualys recently updated their API to include a new field called CVSS_VECTOR_STRING. This was conflicting with the kbpopulator.py script in the TA and backing up and editing the TA worked for us.

Two solutions to this,

1)Follow the fix in the above link

or

2)Upgrade to the new 1.4.0 TA which comes with the fix and was released on Jan 28th 2019.
https://splunkbase.splunk.com/app/2964/

Looks like you've addressed the issue but just wanted to share the background and the knowledge of the new version of TA

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...