Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- data indexing on rapid7 app for Splunk enterprise
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am planning to install Splunk app for Rapid7 Nexpose. We use Nexpose Enterprise edition. While checking the app documentation, I could not locate information on whether it would be defining a new index for data from Nexpose. Does anyone has additional information on this?
Our splunk setup has Indexer and search head on different servers. Do I need to install the app on both(Indexer & search head)?
The reason I ask this question is because we would prefer the data to be indexed on Splunk indexer instance, but would still need the app on the search head as well to use the dashboards.
Thanks,
~ Abhi
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The application does not define a new index for Rapid7 data – this option is left to the user. It uses the ‘default’ index out of the box but most users change this after installation.
In terms of placement inside your environment you can install it on a single node or both. The application pulls pre-processed data from your Nexpose Console so load on your Splunk node is minimal (meaning installation on the search head alone should be fine).
If you don’t like the idea of your search head pulling and indexing data then you can install a copy of the application on the indexer and configure it to pull data from your Nexpose Console. A copy of the application can then be installed on the search head to just view the indexed data (obviously both will have to be configured to use the new index you are considering setting up).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The application does not define a new index for Rapid7 data – this option is left to the user. It uses the ‘default’ index out of the box but most users change this after installation.
In terms of placement inside your environment you can install it on a single node or both. The application pulls pre-processed data from your Nexpose Console so load on your Splunk node is minimal (meaning installation on the search head alone should be fine).
If you don’t like the idea of your search head pulling and indexing data then you can install a copy of the application on the indexer and configure it to pull data from your Nexpose Console. A copy of the application can then be installed on the search head to just view the indexed data (obviously both will have to be configured to use the new index you are considering setting up).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to refer to a separate index instead of using the default index "main"? I have added the following in the "inputs.conf"
index = rapid7
The Splunk was restarted but it seems no event logged in the new index. Moreover, will the Nexpose dashboard refer all data from the new index? Any customisation would be needed on the dashboard layer? Thanks.
Kelvin
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
