11-13-2015 08:20:42.654 +0300 ERROR LookupOperator - The lookup table 'nessus_plugin_lookup' does not exist. It is referenced by configuration 'nessus_vuln'. 11-13-2015 08:20:42.654 +0300 WARN LookupOperator - Failed to find static lookup file: nessus_plugin_lookup.csv
I received this error. TA - 1.0.6BETA.
I created empty csv and launched update_lookup.sh. It filled it. It downloaded data from nessus, I see them.
But in application empty dashboards.
Try running an all-time search over sourcetype=nessus_vuln. Do you see any events? If the dashboards are empty, that probably means you have no indexed scan data.
Note: The user account that Splunk is using to log in to your Nessus scanner must be the same user that ran the scans.
EDIT: Sorry, I wrote index=nessus instead of sourcetype=nessus_vuln
Apologies, I meant sourcetype=nessus_vuln, not index=nessus.
Are the events in that sourcetype scan results?
I see new data in index=nessus. But in app it is empty. For an example I take request:
tag=vulnerability tag=report report_id=* severity=* NOT severity=informational | chart count over dest by severity | sort -count limit=10 | rename low as Low, medium as Medium, high as High, critical as Critical
It is in reply empty
Then I modify request (del severity and add index=nessus)
index=nessus tag=vulnerability tag=report report_id=* | chart count over dest by severity | sort -count limit=10 | rename low as Low, medium as Medium, high as High, critical as Critical
I obtain data.
Is the severity field "informational" in all of your Nessus scan results? The Hurricane Labs App for Vulnerability Management doesn't display informational scan results in its dashboards.