If you're still having this issue, check your logs for the lag between event time and index time. The Tenable add-on pulls all of your open vulnerability data first, and only pulls in the fixed data after all of the open stuff is complete. If you've got a large lag time, it may not be getting as far as actually pulling in the fixed vulns. Check the /opt/splunk/etc/apps/TA-tenable/default/inputs.conf, (and the local inputs.conf if you have one) and look for the "page_size". Increasing this number may resolve the issue. When I was troubleshooting a similar issue, Tenable indicated the number hadn't been changed - but it was set to 1000 - meaning it ran API calls for 1000 records at a time - and wasn't ever finishing with a large number of vulns. We increased this to 10000, reducing the api calls by a factor of 10 - and allowing the process to complete so all our vulns got pulled in.
... View more