I changed the app settings on the indexer (which is also the search head) to include api credentials and all proper settings enabled, I do not see any data. Must I place a forwarder on the appliance itself somehow?
Got data to come in. Now trying to pull CVE data in using built in script and getting the following error. Any suggestions?
Got data to come in. Now trying to pull CVE data in using built in script and getting the following error. Any suggestions?
sudo bash /opt/splunk/etc/apps/TA-qualys/bin/update_qualys_kb.sh
Traceback (most recent call last):
File "./update_qualys_kb.py", line 48, in
cfg = get_splunk_config("qualys", "api")
File "./update_qualys_kb.py", line 20, in get_splunk_config
env["LD_LIBRARY_PATH"] = os.path.join(env["SPLUNK_HOME"], "lib")
KeyError: 'SPLUNK_HOME'
Try running that like so:
sudo /opt/splunk/bin/splunk cmd /opt/splunk/etc/apps/TA-qualys/bin/update_qualys_kb.sh
You need to run this from within the Splunk environment in order for certain functionality to be available. The above command will do that.
Let us know if that helps.
This did the job! Thank you. However, can I expect the job that runs at 4:15am each night to work as it should? It does not seem to work properly (as of last night).