Troubleshooting

1. I am getting a Splunk error.

   • Check the $SPLUNK_HOME/var/log/splunk/splunkd.log for Splunk related errors. If you see errors, contact your Splunk administrator.

     Note: Your must set your SPLUNK_HOME environment.

2. I don’t see data after setting up mod input.

   • For Tenable.io mod-input, check the $SPLUNK_HOME/var/log/splunk/ta_tenable_tenable_io.log file.
   • For Tenable.sc mod-input, check the $SPLUNK_HOME/var/log/splunk/ta_tenable_tenable_securitycenter.log .
   • For Tenable.sc mobile mod-input, check the $SPLUNK_HOME/var/log/splunk/ta_tenable_tenable_securitycenter_mobile.log file.

3. Data is not populating in the Tenable App dashboards.

   • Run an All Time saved search for Tenable.io or Tenable.sc.  After running the All Time saved search, turn on and schedule a saved search.

   • Try expanding the time range from the last 24 hours.
   • Check the Tenable macro (get_tenable_index) and ensure the Tenable index is set correctly.

   • The dashboard can take some time to populate when data collection is started. We To ensure you are receiving all data:

     • search `get_tenable_index` | stats count by source type

     • You should see the following source types: tenable:io:vuln, tenable:io:assets, tenable:sc:vuln"\, tenable:sc:plugin, tenable:sc:assets, tenable:sc:mobile:vuln, tenable:sc:mobile:assets, tenable:nnm:vuln.

     • Check the log file for any errors - $SPLUNK_HOME/var/log/splunk/splunkd.log

4. While running Tenable.io, I get the following error: ERROR pid=106020 tid=MainThread file=io_connect.py:__checkResponse:83 | Tenable Error: response: Duplicate export not allowed. Please modify request or wait until existing export is complete.

   • You must create a new, unique user and API login to use in Splunk.