Troubleshooting
-
I am getting a Splunk error.
-
Check the $SPLUNK_HOME/var/log/splunk/splunkd.log for Splunk related errors. If you see errors, contact your Splunk administrator.
Note: Your must set your SPLUNK_HOME environment.
-
-
I don’t see data after setting up mod input.
- For Tenable.io mod-input, check the $SPLUNK_HOME/var/log/splunk/ta_tenable_tenable_io.log file.
- For Tenable.sc mod-input, check the $SPLUNK_HOME/var/log/splunk/ta_tenable_tenable_securitycenter.log .
- For Tenable.sc mobile mod-input, check the $SPLUNK_HOME/var/log/splunk/ta_tenable_tenable_securitycenter_mobile.log file.
-
Data is not populating in the Tenable App dashboards.
-
Run an All Time saved search for Tenable.io or Tenable.sc. After running the All Time saved search, turn on and schedule a saved search.
- Try expanding the time range from the last 24 hours.
- Check the Tenable macro (get_tenable_index) and ensure the Tenable index is set correctly.
-
The dashboard can take some time to populate when data collection is started. To ensure you are receiving all available data, take the following steps:
-
search `get_tenable_index` | stats count by source type
-
You should see the following source types: tenable:io:vuln, tenable:io:assets, tenable:sc:vuln"\, tenable:sc:plugin, tenable:sc:assets, tenable:sc:mobile:vuln, tenable:sc:mobile:assets, tenable:nnm:vuln.
-
Check the log file for any errors - $SPLUNK_HOME/var/log/splunk/splunkd.log
-
Note that the app only imports new information from Tenable.sc. So if you have not scanned recently, there will not be any updates.
-
-
-
While running Tenable.io, I get the following error: ERROR pid=106020 tid=MainThread file=io_connect.py:__checkResponse:83 | Tenable Error: response: Duplicate export not allowed. Please modify request or wait until existing export is complete.
- You must create a new, unique user and API login to use in Splunk.
- I can't set up a connection with Splunk Mission Control.
- If you have an issue trying to establish connection with Mission Control, refer to Splunk documentation for Splunk Connect for Mission Control.
- I can't set up a default Instance.
- If you are unable to find the Tenable Vulnerability Center dashboard under Managed Dashboards section in the Dashboards drop-down, make sure there are no trailing white-spaces for the connection ID fetched from Admin Settings. Refer to Tenable Plugin for Splunk documentation.
- Data is not populated on Mission Control.
- If you are not able to find data on Plugin Dashboards/ AQ tabs/ Investigation tabs:
- Verify that you have an active connection between the On-premise instance and Mission Control by navigating to Admin settings > Product Settings > Splunk Connect for Mission Control. Check the connection status against the configured instance.
- If the status is Inactive, please refer to Splunk documentation.
- If the status is Active, verify that the Tenable application’s look-up has data by referring to Tenable App for Splunk documentation.
- If you are not able to find data on Plugin Dashboards/ AQ tabs/ Investigation tabs:
- The Analyst Queue and Investigation tabs are not getting rendered for a particular Notable in Splunk Mission Control.
- If you are not able to render Tenable Summary Analyst Queue tabs and Tenable Investigation tabs, make sure the label for the given notable is mcef_tenable_plugin_for_mission_control. If not, update the label for that notable manually with the edit option or reconfigure the Notable Events step in the Tenable App for Splunk documentation with the correct label.