Splunk Enterprise Security

Enterprise Security 2.2.1 how do i clear sa_vulns tsidx ?

Engager

I added a new vulnerability data input - a new vmscanner. Cool beans! Now I'd like to clear the sa _ vulns tsidx and reload all the vm data. I set the sa _ vulns tsidx retention time to 60 seconds (see below) and restarted splunk but that did not clear it. How long would it take to clear it? Is that the right approach? I'd be glad to dig deeper if you can point me to the proper docs.

Thanks!

-sh-4.1$ bin/splunk cmd btool tsidx_retention list sa_vuln
[sa_vulns]
maxTotalDataSizeMB = 500000
retentionTimePeriodInSecs = 60
-sh-4.1$
0 Karma

Engager

In the end I was successful by stopping splunk, renaming the existing tsidx file, restarting splunk and then running the SA-NetworkProtection postprocess.conf Vuln TSIDX Generating Search for sa_vulns over the new large time-frame (you will need to have some ideas how post process works with saved searches). The results display nicely in the Network Vuln Dashboards.

[WARNING WARNING WARNING there are other non vmscanner events that are classified as vulnerabilities which will be GONE once you rename the existing tsidx file]

For those treading down similar roads, the SA-NetworkProtection postprocess.conf Vuln TSIDX Generating Search only runs over a 15 min interval. Since my Vuln scanner script only runs once a day, I scheduled a daily sourcetype=myvmscanner Vuln TSIDX Generating Search that runs over the past 24 hours.

Splunk Employee
Splunk Employee

Hey Brian! Glad you got it sorted out!

0 Karma