Getting Data In

How to provide a valid start time for the Tenable add-on input?

hettervik
Builder

Hi. I'm trying to add a new input with the Tenable add-on: https://splunkbase.splunk.com/app/4060/

When adding a new input I can input a "start time" from when the add-on will start collection data from Tenable, as opposed to "all time" I suppose, but no matter how I format my timestamp, the add-on won't accept it. See screenshot. I've tried all sort of variations, but all fail. I've also looked at the documentation (https://docs.tenable.com/integrations/Splunk/Content/Splunk2/CreateInput.htm) which suggest another time format than the add-on itself (probably not updated), but that isn't working either.

Has anyone gotten this to work, and if so, what is the correct way of formating the timestamp?

hettervi_0-1644845813742.png

Labels (2)
0 Karma

etoombs
Path Finder

Mine is set formatted as:  2021-01-01T01:01:00Z

0 Karma

etoombs
Path Finder

I neglected to say that the Z is not representative. It is literally the character Z.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The literal character 'Z' is representative of the GMT/UTC time zone.  It should be written as %Z in a time format string to ensure Splunk applies the right time zone.

---
If this reply helps you, Karma would be appreciated.
0 Karma

wanderson7
Explorer

Hi, I am not sure if this directly answers your question, but perhaps it could be of some help being that it is Tenable/Nessus related.

I recently developed a free open-source application called TenaPull, which processes Nessus data for ingestion by Splunk.  There is more information here:

https://community.splunk.com/t5/Getting-Data-In/I-developed-an-application-to-process-Nessus-data-fo...

GitHub repo:
https://github.com/billyJoePiano/TenaPull

richgalloway
SplunkTrust
SplunkTrust

The form says it wants a time in YYYY-mm-ddTHH:MM:SSZ format in the UTC timezone.  Have you tried 2022-01-01T00:01:01Z?

---
If this reply helps you, Karma would be appreciated.
0 Karma

hettervik
Builder

Thanks, but the format you're suggesting was the first one I tried.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...