Getting Data In

What changes we need to get the data into test index?



While trying to configure the rapid7intsightsvm app the data is not indexing to index which  I have configured.

Full import schedule (Days)
InsightVM Connection
Asset Filter
Site IN [Rapid7]
Import vulnerabilities
Include same vulnerabilities
what changes we need to get the data in to  test index ??

Labels (1)
0 Karma


Hi there,

Question is a little broad without knowing what you've done already. To resolve, will require a bit more info:

1. Is this a standalone instance or a forwarder in a distributed deployment? (if it's a forwarder, are any other inputs whos data is successfully being forwarded to the index layer and indexed? (to eliminate firewall or traffic blocking at the receiving node or along the path))
2. Does the index "test" exist and is it enabled? (search: | rest /services/data/indexes | search title=test | table title, disabled or Settings > Indexes > filter for test)
3. Have you checked the _internal logs for any errors with the mod input
4. Have you confirmed the input key is correct and able to authenticate to the API (try deleting and recreating the input in the TA)

0 Karma



1. yes it is standalone instance

2. yes the test index is configured and enabled

3. Yes I have checked the internal logs

 INFO pid=24473 tid=MainThread | Last import time InsightVM_Assets-last_import_time for InsightVM_Assets has not been updated and remains at None

4. Yes the input key is correct and able to authenticate to the API 



0 Karma


It looks like the input script isn't running:

If it hasn't worked at all, I would start from scratch. In the TA, I would delete the connection and the input and recreate them with a new API key.

Regenerate a new API key:

  1. Sign in to the Insight Platform.
  2. Select the gear icon in the top menu and click API Keys.
  3. Select Organization Key.
  4. Select + New Key.
  5. Enter a name for the key and click Generate.
  6. Copy and store the generated key in a secure location.

Recreate the connection

  1. Navigate to the Rapid7 InsightVM Technology Add-On available under the Apps menu in Splunk.
  2. Select Configuration.
  3. Select Add.
  4. Enter a name for the connection.
  5. Enter your region, which is a two-character string based on your location (such as us).
  6. Enter your generated API key.
  7. Click Add.

Recreate the input:

Inputs > Create New Input
all per the doc

Also, if you are using an older Splunk install, check /opt/splunk/bin/ and see what python you have. I believe the input in the TA uses python3 by default.

Also, may try:
A different index (i.e. test2)
Restarting splunkd

If you're still not getting data in, the issue is likely not with Splunk. The TA is vendor built and supported, so I would reach out to Rapid7 and see if they can t/s the connection.

0 Karma
Get Updates on the Splunk Community!

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...