All Apps and Add-ons

Qualys-TA ignores index setting in inputs.conf

DATEVeG
Path Finder

Hi,

we are using version 1.4 of Qualys Technology Add-on (TA) for Splunk.
Our $SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform/local/inputs.conf is:

[qualys://host_detection]
duration = 0 * * * *
index = vulnerabilities
start_date = 1999-01-01T00:00:00Z
disabled = 0

However the gathered information ist written to the main index:

[...]
TA-QualysCloudPlatform: 2019-02-18 16:00:31 PID=89627 [MainThread] INFO: TA-QualysCloudPlatform - Running for knowledge_base. Host name to be used: our_host. Index configured: main. Run duration: 0 * * * *. Default start date: 1999-01-01T00:00:00Z.
[...]

The TA is installed on a heavy forwarder. The index vulnerabilities is defined on our indexpeers, but not on the heavy forwarder.

How can i configure the TA to write to the index vulnerabilities instead of main?

Thanks!

  • Lorenz
0 Karma
1 Solution

DATEVeG
Path Finder

My restart command didn't work, because of the new splunk systemd service file.
After checking and restarting splunk manually everything works fine now.

View solution in original post

0 Karma

DATEVeG
Path Finder

My restart command didn't work, because of the new splunk systemd service file.
After checking and restarting splunk manually everything works fine now.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

Change your default start date to more recent one start_date = 2019-01-01T00:00:00Z

Restart HF and Indexers.

0 Karma

MattibergB
Path Finder

Some simple checks could help

  • Did you restart the HF after changing the inputs.conf?
  • If you use btool on the HF and on the Indexers do you see the correct values? \splunkpath\splunk cmd btool list inputs --debug

Change the path for you splunk bin directory

DATEVeG
Path Finder

Thanks for your input!

My restart command didn't work, because of the new splunk systemd service file.
After checking and restarting splunk manually everything works fine now.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...