Hello,
The reason you are unable to get any data is because you are trying to pull too many results from Security Center at once and the SC API is unable to return that many results. The original app creator must have been working with a very small amount of data. I ran into the same error mesage with my endoffset being over 70,000.
To fix this issue, you have to reduce the total records being pulled at one time. I modified the /opt/splunk/etc/apps/tenablesc/bin/sc_connect.py file to pull data in chunks of 5,000. This got my data into splunk. The only downside that I have not fixed is that certain records are not parsed correctly due to additional info being returned (e.g. error_code and timestamp). Here is the code I modified in the sc_connect.py file:
def vulnipdetail(self):
try:
#the first query returns the first 1000 records and the total number of records
start, end = 0,1000
input = {"tool": "vulndetails", "startOffset": "0",
"endOffset": end ,
"sourceType": "cumulative"}
inputjson = json.dumps(input)
data = {"request_id": "1",
"module": "vuln",
"action": "query",
"input": inputjson,
"token": self.token}
response, content = self.HttpRequest(data)
#print the first 1000 records
print content
result = json.loads(content)
total = result['response']['totalRecords']
#this loops through the rest of the records and pulls them in chunks of 5000
while end < int(total):
start, end = end, end + 5000
input = {"tool": "vulndetails", "startOffset": start, "endOffset": end, "sourceType": "cumulative"}
inputjson = json.dumps(input)
data = {"request_id": "1", "module": "vuln", "action": "query", "input": inputjson, "token": self.token}
response, content = self.HttpRequest(data)
#I tried to concat all the content, but the stdin buffer truncated the results. This causes some records to not be parsed correctly.
print content
except Exception, e:
raise Exception, "Error performing vuln::query::vulndetails : %s" % str(e)
... View more