Troubleshooting

  1. I am getting a Splunk error.

    • Check the $SPLUNK_HOME/var/log/splunk/splunkd.log for Splunk related errors. If you see errors, contact your Splunk administrator.

      Note: You must set your SPLUNK_HOME environment.

  2. I don’t see data after setting up mod input.

    • For Tenable.io mod-input, check the $SPLUNK_HOME/var/log/splunk/ta_tenable_tenable_io.log file.
    • For Tenable.sc mod-input, check the $SPLUNK_HOME/var/log/splunk/ta_tenable_tenable_securitycenter.log .
    • For Tenable.sc mobile mod-input, check the $SPLUNK_HOME/var/log/splunk/ta_tenable_tenable_securitycenter_mobile.log file.
  3. Data is not populating in the Tenable App dashboards.

    • Run an All Time saved search for Tenable.io or Tenable.sc.  After running the All Time saved search, turn on and schedule a saved search.

    • Try expanding the time range from the last 24 hours.
    • Check the Tenable macro (get_tenable_index) and ensure the Tenable index is set correctly.
    • The dashboard can take some time to populate when data collection is started. To ensure you are receiving all available data, take the following steps:

      • search `get_tenable_index` | stats count by source type

      • You should see the following source types: tenable:io:vuln, tenable:io:assets, tenable:io:plugin, tenable:io:assets:cloud, tenable:io:assets:web_app, tenable:io:vuln:host_audit, tenable:io:vuln:cloud, tenable:io:vuln:web_app, tenable:sc:vuln, tenable:sc:plugin, tenable:sc:assets, tenable:sc:mobile:vuln, tenable:sc:mobile:assets, tenable:nnm:vuln.

      • Check the log file for any errors - $SPLUNK_HOME/var/log/splunk/splunkd.log

      • The app only imports new information from Tenable.sc. So if you have not scanned recently, there may not be any updates.

  4. While running Tenable.io, I get the following error: ERROR pid=106020 tid=MainThread file=io_connect.py:__checkResponse:83 | Tenable Error: response: Duplicate export not allowed. Please modify request or wait until existing export is complete.

    • Create a new, unique user and API login to use in Splunk.
  5. I can't set up a connection with Splunk Mission Control.
    • If you have an issue trying to establish connection with Mission Control, refer to Splunk documentation for Splunk Connect for Mission Control.
  6. I can't set up a default Instance.
    • If you are unable to find the Tenable Vulnerability Center dashboard under Managed Dashboards section in the Dashboards drop-down, make sure there are no trailing white spaces for the connection ID fetched from Admin Settings. Refer to Tenable Plugin for Splunk documentation.
  7. Data does not populated on Mission Control.
    • If you are not able to find data on Plugin Dashboards/ AQ tabs/ Investigation tabs:
      1. Verify that you have an active connection between the On-premise instance and Mission Control by navigating to Admin settings > Product Settings > Splunk Connect for Mission Control. Check the connection status against the configured instance.
      2. If the status is Inactive, refer to Splunk documentation.
      3. If the status is Active, verify that the Tenable application’s look-up has data by referring to Tenable App for Splunk documentation.
  8. The Analyst Queue and Investigation tabs are not getting rendered for a particular Notable in Splunk Mission Control.
    • If you are not able to render Tenable Summary Analyst Queue tabs and Tenable Investigation tabs, make sure the label for the given notable is mcef_tenable_plugin_for_mission_control. If not, update the label for that notable manually with the edit option or reconfigure the Notable Events step in the Tenable App for Splunk documentation with the correct label.
  9. I am getting an error when applying internal self-signed SSL certificates to Tenable.sc.
    • You may get the following error if your Tenable.sc self-signed certificate has not been installed to Splunk and the optional Verify SSL Certificate setting is enabled. Completing this installation allows Splunk to trust the designated SSL client certificate you installed.

    • You need to install the CA for the Splunk integration to trust. For more information, see Configure Tenable Certificates.
  10. Connection aborted due to "Remote end closed connection without response" error in Splunk logs.
    • If the “Remote end closed connection without response” error is printed in either the ta_tenable_tenable_io.log, ta_tenable_tenable_securitycenter.log, or ta_tenable_tenable_securitycenter_mobile.log files at location $SPLUNK_HOME/var/log/splunk, make sure that there is no ongoing data collection process in Splunk while stopping the Splunk service or upgrading the Tenable Application for Splunk or Splunk Add-on. Whenever this type of error occurs, Splunk tries again to process the failed request by using the same checkpoint values after coming back online.