Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Qualys App - How to force the downloading of all data assets in Splunk?

cbrahamcha
New Member
‎06-16-2017 01:41 AM

Hello,

I'm using Qualys App in order to import vulnerabilities data in Splunk for reporting.

Since about 2 months, I can see a discrepancy between datas in the DB Splunk and Qualys. Some assets in Splunk are missing.

I have checked, and :
-> it isn't a problem of rights of the qualys API account
-> I don't see any error messages in Splunk
-> I don't hit the Qualys API limit.

I guess it's a problem of "delta" download, but I'm not sure.

Does it exist a way to force the Qualys App in Splunk to force the downloading of all the datas (not only the new datas) ?

Thanks a lot for your help

Best regards,

Cyrille

Labels (1)
Labels
0 Karma
Reply

nit123
Path Finder
‎06-16-2017 06:04 AM

Can you confirm the following . I assume you are using /api/2.0/fo/asset/host/vm/detection/ API.

  1. Version of Qualys App

  2. Is the data input enabled on your Splunk instance ?

  3. Are you pulling vulnerabilities data for the first time or doing a delta pull ? if you already have data pulled from earlier API pull, the checkpoint file shall have the date of when the last run happened.

Now, to answer your question 'Does it exist a way to force the Qualys App in Splunk to force the downloading of all the datas (not only the new datas) ? '

  1. The checkpoint file is located at /opt/splunk/var/lib/splunk/modinputs/qualys/filename . If you are ok with pulling entire data again, delete that file specific to your input.

  2. Restart your splunk instance so that app repolls the data .

Tips to check data pull

  1. The older app had a script, which was used to debug the data pulling operations. If your SPLUNK_HOME is /opt/splunk, then from SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform run following command - /opt/splunk/bin/splunk cmd python ./bin/run.py -h

  2. Check if there are any API errors at /opt/splunk/var/log/splunk/ta_QualysCloudPlatform.log

Hope this helps solve your question. If not , request you to provide more information on the questions above. Thanks.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...