Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Qualys App - How to force the downloading of all data assets in Splunk?

cbrahamcha
New Member
‎06-16-2017 01:41 AM

Hello,

I'm using Qualys App in order to import vulnerabilities data in Splunk for reporting.

Since about 2 months, I can see a discrepancy between datas in the DB Splunk and Qualys. Some assets in Splunk are missing.

I have checked, and :
-> it isn't a problem of rights of the qualys API account
-> I don't see any error messages in Splunk
-> I don't hit the Qualys API limit.

I guess it's a problem of "delta" download, but I'm not sure.

Does it exist a way to force the Qualys App in Splunk to force the downloading of all the datas (not only the new datas) ?

Thanks a lot for your help

Best regards,

Cyrille

Labels (1)
Labels
0 Karma
Reply

nit123
Path Finder
‎06-16-2017 06:04 AM

Can you confirm the following . I assume you are using /api/2.0/fo/asset/host/vm/detection/ API.

  1. Version of Qualys App

  2. Is the data input enabled on your Splunk instance ?

  3. Are you pulling vulnerabilities data for the first time or doing a delta pull ? if you already have data pulled from earlier API pull, the checkpoint file shall have the date of when the last run happened.

Now, to answer your question 'Does it exist a way to force the Qualys App in Splunk to force the downloading of all the datas (not only the new datas) ? '

  1. The checkpoint file is located at /opt/splunk/var/lib/splunk/modinputs/qualys/filename . If you are ok with pulling entire data again, delete that file specific to your input.

  2. Restart your splunk instance so that app repolls the data .

Tips to check data pull

  1. The older app had a script, which was used to debug the data pulling operations. If your SPLUNK_HOME is /opt/splunk, then from SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform run following command - /opt/splunk/bin/splunk cmd python ./bin/run.py -h

  2. Check if there are any API errors at /opt/splunk/var/log/splunk/ta_QualysCloudPlatform.log

Hope this helps solve your question. If not , request you to provide more information on the questions above. Thanks.

Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...