Create an Input

After you complete the configuration for your Tenable Add-On for Splunk, you must create the input.

To create an input:

  1. In the Splunk interface, click the Inputs tab.

  2. Click the Create New Input button.

    A drop-down box appears:

  3. Select the appropriate Tenable application.

    The selected Tenable application input options open in a new window.

  4. Enter the necessary information for each field. The following table describes the available options.

    Note: If you don't use the default index, you must update the Tenable Macro.

    Tenable Vulnerability Management

    Input Parameters Description Required
    Name The unique name for each Tenable data input.

    Yes
    Interval The interval parameter specifies when the input restarts to perform the task again (in seconds). The interval amount must be between 3600 and 86400.

    Yes
    Index The index in which to store Tenable Vulnerability Management data.

    Yes
    Global Account Splunk pulls data from this Tenable account.

    Yes
    Sync Plugin Details If selected, the related tags in Tenable assets include plugin details.

    Yes
    Host Vulnerability Enable Host Vulnerability Enable to collect host assets and host vulnerabilities.

    Yes; for at least one data source.
    Start Time The date and time to start collecting host data. If you leave this field blank, the integration collects all historical data. (Enter in this format - YYYY-MM-DD hh:mm:ss.)

    No
    Lowest Severity Score The lowest level of severity stored.

    No
    Historical Fixed Vulnerability Allows the import of host vulnerabilities fixed before the current day.

    No
    Tags Limits host vulnerabilities pulled to host assets that have tags selected.

    No

    Tenable Security Center Vulnerability

    Input Parameters Description Required
    Name The unique name for each Tenable data input.

    Yes
    Interval

    The interval parameter specifies when the input restarts to perform the task again (in seconds). The interval amount must be between 300 and 86400.

    Note: If using a Tenable Security Center version previous to 5.7, the minimum interval you can select is 24 hours. If using Tenable Security Center 5.7 or later, you can specify a minimum interval of an hour.

    Yes
    Index The index in which to store Tenable Security Center data.

    Yes
    Global Account Splunk pulls data from this Tenable account.

    Yes
    Start Time

    The date and time to start collecting data. If you leave this field blank, the integration collects all historical data.

    Note: Uses the YYYY-MM-DD hh:mm:ss format.

    No
    Sync Plugin Details If selected, the related tags in Tenable assets include plugin details.

    Yes
    Historical Fixed Vulnerability Allows the import of vulnerabilities fixed before the current day.

    No
    Query Name

    A name for Tenable Security Center vulnerability filter.

    Note: The interval must be query type Vulnerability Detail List.

    No

    Tenable Security Center Mobile

    Input Parameters Description Required
    Name The unique name for each Tenable data input.

    Yes
    Interval The interval parameter specifies when the input restarts to perform the task again (in seconds).

    Yes
    Index The index in which to store Tenable Security Center data.

    Yes
    Global Account Splunk pulls data from this Tenable account.

    Yes
    Query Name

    A name for Tenable Security Center vulnerability filter.

    Note: The interval must be query type - Vulnerability Detail List.

    No
  5. Click Add to create the input.
  1. Run the All Time saved search.
  2. Schedule an All Time saved search.

Note: Tenable recommends running the saved search every 24 hours. However, you can adjust as needed.