Troubleshooting

  1. I am getting a Splunk error.

    • Check the $SPLUNK_HOME/var/log/splunk/splunkd.log for Splunk related errors. If you see errors, contact your Splunk administrator.

      Note: Your must set your SPLUNK_HOME environment.

  2. I don’t see data after setting up mod input.

    • For Tenable.io mod-input, check the $SPLUNK_HOME/var/log/splunk/ta_tenable_tenable_io.log file.
    • For Tenable.sc mod-input, check the $SPLUNK_HOME/var/log/splunk/ta_tenable_tenable_securitycenter.log .
    • For Tenable.sc mobile mod-input, check the $SPLUNK_HOME/var/log/splunk/ta_tenable_tenable_securitycenter_mobile.log file.

  3. Data is not populating in the Tenable App dashboards.

    • Run an All Time saved search for Tenable.io or Tenable.sc.  After running the All Time saved search, turn on and schedule a saved search.

    • Try expanding the time range from the last 24 hours.
    • Check the Tenable macro (get_tenable_index) and ensure the Tenable index is set correctly.

    • The dashboard can take some time to populate when data collection is started. To ensure you are receiving all available data, take the following steps:

      • search `get_tenable_index` | stats count by source type

      • You should see the following source types: tenable:io:vuln, tenable:io:assets, tenable:sc:vuln"\, tenable:sc:plugin, tenable:sc:assets, tenable:sc:mobile:vuln, tenable:sc:mobile:assets, tenable:nnm:vuln.

      • Check the log file for any errors - $SPLUNK_HOME/var/log/splunk/splunkd.log

      • Note that the app only imports new information from Tenable.sc. So if you have not scanned recently, there will not be any updates.

  4. While running Tenable.io, I get the following error: ERROR pid=106020 tid=MainThread file=io_connect.py:__checkResponse:83 | Tenable Error: response: Duplicate export not allowed. Please modify request or wait until existing export is complete.

    • You must create a new, unique user and API login to use in Splunk.
  5. I can't set up a connection with Splunk Mission Control.
    • If you have an issue trying to establish connection with Mission Control, refer to Splunk documentation for Splunk Connect for Mission Control.
  6. I can't set up a default Instance.
    • If you are unable to find the Tenable Vulnerability Center dashboard under Managed Dashboards section in the Dashboards drop-down, make sure there are no trailing white-spaces for the connection ID fetched from Admin Settings. Refer to Tenable Plugin for Splunk documentation.
  7. Data is not populated on Mission Control.
    • If you are not able to find data on Plugin Dashboards/ AQ tabs/ Investigation tabs:
      1. Verify that you have an active connection between the On-premise instance and Mission Control by navigating to Admin settings > Product Settings > Splunk Connect for Mission Control. Check the connection status against the configured instance.
      2. If the status is Inactive, please refer to Splunk documentation.
      3. If the status is Active, verify that the Tenable application’s look-up has data by referring to Tenable App for Splunk documentation.
  8. The Analyst Queue and Investigation tabs are not getting rendered for a particular Notable in Splunk Mission Control.
    • If you are not able to render Tenable Summary Analyst Queue tabs and Tenable Investigation tabs, make sure the label for the given notable is mcef_tenable_plugin_for_mission_control. If not, update the label for that notable manually with the edit option or reconfigure the Notable Events step in the Tenable App for Splunk documentation with the correct label.