KnowledgeBase Settings FAQs

Refer to the following frequently asked questions for detailed on KnowledgeBase settings,

How to create KB CSV lookup definition on search head?

These steps let you access the KB CSV file data using the lookup.

1. Go to Settings > Lookups and on the Lookups page, click Add New in the Lookup definitions row to create lookup for KB CSV file.

   

2. From the Destination app field, select the search option to select the destination app to be used for the lookup.
3. In the Name field, enter a name as qualys_kb_lookup.
4. From the Type field, select the File-based option.
5. From the Lookup file field, select the qualys_kb.csv option.
6. Click Save to create the KB CSV lookup.

What happens if you disable KB indexing after enabling it initially?

The KB CSV lookup file is generated in SPLUNK_HOME/etc/apps/TA-QualysCloudPlatform/lookups/directory. So, the KB CSV file which is generated previously in SPLUNK_HOME/etc/apps/search/lookups/directory, is also present. It is possible that the user may not receive updated data or may see a blank dashboard. To view updated data on the dashboard, remove the KB CSV file and disable scheduled saved searches from Splunk UI. To view the updated data on dashboard, follow these steps:

1. Remove the KB CSV file.
   1. Go to Settings > Lookups > Lookup table files and find /opt/splunk/etc/apps/search/lookups/qualys_kb.csv path.
   2. Click Delete from Actions.
2. Disable the scheduled saved searches.
   1. Go to Settings > Searches, Reports, and Alerts.
   2. Select the Search  &   Reporting (search) App and go to the scheduled saved search which you have created.
   3. Click Edit and Disable the scheduled saved search.

What happens when you enable the index KnowledgeBase data?

When you enable indexing, TA determines if the KB data is getting indexed for the first time into Splunk or KB data has been indexed before. If TA determines that the KB data is indexed the first time, then the entire KB data from 1999-01-01 is pulled. TA pulls the entire data so that the KB data which you could see before upgrading TA is available to you in the new version. On the other hand, if KB data has been indexed before, then TA uses the KB checkpoint date of the last run to pull the KB data.

How does TA determine if the KB data is getting indexed for the first time?

When you upgrade Splunk TA to 1.8.4 or later and choose to index the KB data into Splunk, TA determines if the KB indexing option is enabled for the first time. TA does this by checking if the KB checkpoint file is empty and if the KB CSV file exists. Note that TA creates a KB CSV file when you upgrade Splunk TA to 1.8.4 or later. If TA finds these 2 conditions true, then TA fetches the KB data from 1999-01-01, update the KB checkpoint file with the latest date time, and remove the KB CSV file from the lookup folder if it exists.

If you remove or clear the data from the KB checkpoint file, verifies that the KB checkpoint file is empty and the KB CSV file is missing before starting the indexing process. If both conditions are met, TA concludes that this is not the first time the KB indexing option has been enabled. Under these circumstances, TA uses the start date specified on the KB input data form to retrieve the KB data from your Qualys account. It then updates the KB checkpoint file with the most recent date and time.

If the index KB check box is not selected, TA generates the KB CSV file but TA does not update the KB checkpoint file.