Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What changes we need to get the data into test index?

AL3Z
Communicator
‎03-15-2023 07:48 AM

Hi,

While trying to configure the rapid7intsightsvm app the data is not indexing to index which  I have configured.

Name
InsightVM_Assets
Interval
3600
Full import schedule (Days)
0
Index
test
Status
false
InsightVM Connection
Splunk_Rapid7
Asset Filter
Site IN [Rapid7]
Import vulnerabilities
1
Include same vulnerabilities
0
what changes we need to get the data in to  test index ??

Labels (1)
Labels
0 Karma
Reply

John_Littleton
Explorer
‎03-15-2023 11:34 AM

Hi there,

Question is a little broad without knowing what you've done already. To resolve, will require a bit more info:

1. Is this a standalone instance or a forwarder in a distributed deployment? (if it's a forwarder, are any other inputs whos data is successfully being forwarded to the index layer and indexed? (to eliminate firewall or traffic blocking at the receiving node or along the path))
2. Does the index "test" exist and is it enabled? (search: | rest /services/data/indexes | search title=test | table title, disabled or Settings > Indexes > filter for test)
3. Have you checked the _internal logs for any errors with the mod input
4. Have you confirmed the input key is correct and able to authenticate to the API (try deleting and recreating the input in the TA)

0 Karma
Reply

AL3Z
Communicator
‎03-15-2023 11:39 PM

Hi,
@John_Littleton 

1. yes it is standalone instance

2. yes the test index is configured and enabled

3. Yes I have checked the internal logs

 INFO pid=24473 tid=MainThread file=base_modinput.py:log_info:295 | Last import time InsightVM_Assets-last_import_time for InsightVM_Assets has not been updated and remains at None

4. Yes the input key is correct and able to authenticate to the API 

 

thanks

0 Karma
Reply

John_Littleton
Explorer
‎03-16-2023 11:29 AM

It looks like the input script isn't running:

If it hasn't worked at all, I would start from scratch. In the TA, I would delete the connection and the input and recreate them with a new API key.

Regenerate a new API key:

  1. Sign in to the Insight Platform.
  2. Select the gear icon in the top menu and click API Keys.
  3. Select Organization Key.
  4. Select + New Key.
  5. Enter a name for the key and click Generate.
  6. Copy and store the generated key in a secure location.

Recreate the connection

  1. Navigate to the Rapid7 InsightVM Technology Add-On available under the Apps menu in Splunk.
  2. Select Configuration.
  3. Select Add.
  4. Enter a name for the connection.
  5. Enter your region, which is a two-character string based on your location (such as us).
  6. Enter your generated API key.
  7. Click Add.

Recreate the input:

Inputs > Create New Input
all per the doc https://docs.rapid7.com/insightvm/insightvm-technology-add-on-for-splunk/

Also, if you are using an older Splunk install, check /opt/splunk/bin/ and see what python you have. I believe the input in the TA uses python3 by default.

Also, may try:
A different index (i.e. test2)
Restarting splunkd

If you're still not getting data in, the issue is likely not with Splunk. The TA is vendor built and supported, so I would reach out to Rapid7 and see if they can t/s the connection.



0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...