After going to the new version, look like its not working with no data going into the index.
Running the search (index=_internal sourcetype=splunkd TA-QualysCloudPlatform) we are getting a lot of the following:
ERROR ExecProcessor - message from "python /apps/splunk/etc/apps/TA-QualysCloudPlatform/bin/qualys.py"
qualysModule.lib.api.Client.APIRequestError: Error during request to /msp/about.php, [None] Unauthorized
raise APIRequestError("Error during request to %s, [%s] %s" % (end_point, ue.errno, ue.reason))
So the issue was with API access.
The best way to find these WAS issues and the answers is from the following search:
index=_internal sourcetype=qualys source="qualys://was_findings"
The only issue i see is the WAS APP.
The TA is downloading xml files but not passing them into the APP.
Can you please elaborate what issue you are facing with WAS app?
After a while the data did get into the APP
Good to see your problem no more exists! There's really no magic in WAS app, its just a bunch of dashboards and reports. TA ingests data into Splunk and then this app just do the reporting part on top of that. Must be some delay in events association at Splunk level. 🙂
I have finally got this working again.
I removed the application, restarted splunk and installed it again.
Double checked the user account had rights to everything. Noticed that the account i was using didnt have rights to view all objects.