All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure the Qualys App for Splunk Enterprise for Kb lookup file in a distributed search environment?

rahul_jasrotia
Path Finder
‎11-23-2015 07:11 AM

Had few questions regarding this app, can anyone please help?

  1. In a distributed envt, I have installed this app on the forwarder. The index exists on the indexer and I'm able to see the data in the index on the search head when I search for index=qualys, but the lookup file qualys_kb lies on the forwarder, so I'm unable to see the lookup data on the search head. What to do in this case??

  2. Should we install the app on both Forwarder and Search head in this case?
    But i think it'll duplicate the indexed events, correct me if I'm wrong.

  3. And in case ans to above is true, then how do I disable the script for detection on the search head and only enable the kb populator script? Only enabling the kb populator script under Data inputs-> Scripts in search head isn't updating the lookup file on the search head.

Any pointers to the same are welcome.

Thanks
Rahul

0 Karma
Reply

nit123
Path Finder
‎06-24-2017 07:52 AM

TA should be installed on the forwarder and each of the search heads.
While all data inputs ( WAS, VM, KB ) should be enabled in TA on forwarder, only kb input should be enabled on search head.

Data for enabled inputs shall be forwarder to indexer and VM App and WAS app be installed on Search heads for reporting purposes. TA be installed on SH with only kb input enabled. disable vm and was in TA on search head.

This answers your point 1 and 2.

Regarding point 3 , the new version of TA has the intelligence to check where is the TA running on ? on SH or forwarder. Accordingly, the detection script shall run to populate data into Splunk.

Hope this clarifies your questions. If you need more assistance, feel free to reply back.

0 Karma
Reply

rahul_jasrotia
Path Finder
‎12-01-2015 01:43 AM

Does anyone has any clue for the same???????

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...