Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Enterprise Security 2.2.1 how do i clear sa_vulns tsidx ?

bnafziger
Engager
‎09-27-2013 04:00 PM

I added a new vulnerability data input - a new vmscanner. Cool beans! Now I'd like to clear the sa _ vulns tsidx and reload all the vm data. I set the sa _ vulns tsidx retention time to 60 seconds (see below) and restarted splunk but that did not clear it. How long would it take to clear it? Is that the right approach? I'd be glad to dig deeper if you can point me to the proper docs.

Thanks!

-sh-4.1$ bin/splunk cmd btool tsidx_retention list sa_vuln
[sa_vulns]
maxTotalDataSizeMB = 500000
retentionTimePeriodInSecs = 60
-sh-4.1$
0 Karma
Reply

bnafziger
Engager
‎09-30-2013 12:26 PM

In the end I was successful by stopping splunk, renaming the existing tsidx file, restarting splunk and then running the SA-NetworkProtection postprocess.conf Vuln TSIDX Generating Search for sa_vulns over the new large time-frame (you will need to have some ideas how post process works with saved searches). The results display nicely in the Network Vuln Dashboards.

[WARNING WARNING WARNING there are other non vmscanner events that are classified as vulnerabilities which will be GONE once you rename the existing tsidx file]

For those treading down similar roads, the SA-NetworkProtection postprocess.conf Vuln TSIDX Generating Search only runs over a 15 min interval. Since my Vuln scanner script only runs once a day, I scheduled a daily sourcetype=myvmscanner Vuln TSIDX Generating Search that runs over the past 24 hours.

Reply

mloven_splunk
Splunk Employee
Splunk Employee
‎09-30-2013 07:26 PM

Hey Brian! Glad you got it sorted out!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...