Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Qualys App - How to force the downloading of all data assets in Splunk?

cbrahamcha
New Member
‎06-16-2017 01:41 AM

Hello,

I'm using Qualys App in order to import vulnerabilities data in Splunk for reporting.

Since about 2 months, I can see a discrepancy between datas in the DB Splunk and Qualys. Some assets in Splunk are missing.

I have checked, and :
-> it isn't a problem of rights of the qualys API account
-> I don't see any error messages in Splunk
-> I don't hit the Qualys API limit.

I guess it's a problem of "delta" download, but I'm not sure.

Does it exist a way to force the Qualys App in Splunk to force the downloading of all the datas (not only the new datas) ?

Thanks a lot for your help

Best regards,

Cyrille

Labels (1)
Labels
0 Karma
Reply

nit123
Path Finder
‎06-16-2017 06:04 AM

Can you confirm the following . I assume you are using /api/2.0/fo/asset/host/vm/detection/ API.

  1. Version of Qualys App

  2. Is the data input enabled on your Splunk instance ?

  3. Are you pulling vulnerabilities data for the first time or doing a delta pull ? if you already have data pulled from earlier API pull, the checkpoint file shall have the date of when the last run happened.

Now, to answer your question 'Does it exist a way to force the Qualys App in Splunk to force the downloading of all the datas (not only the new datas) ? '

  1. The checkpoint file is located at /opt/splunk/var/lib/splunk/modinputs/qualys/filename . If you are ok with pulling entire data again, delete that file specific to your input.

  2. Restart your splunk instance so that app repolls the data .

Tips to check data pull

  1. The older app had a script, which was used to debug the data pulling operations. If your SPLUNK_HOME is /opt/splunk, then from SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform run following command - /opt/splunk/bin/splunk cmd python ./bin/run.py -h

  2. Check if there are any API errors at /opt/splunk/var/log/splunk/ta_QualysCloudPlatform.log

Hope this helps solve your question. If not , request you to provide more information on the questions above. Thanks.

Reply
Get Updates on the Splunk Community!

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...