Splunk Error while running query

I am getting an error while running the SQL query from a Splunk heavy forwarder to the Data warehouse server.
another error: org.postgresql.util.PSQLException: ERROR: function fact_remediation(integer, unknown) does not exist Hint: No function matches the given name and argument types. You might need to add explicit type casts. Position: 827

Would really appreciate, If someone can suggest which part is creating the conflict
The query that I am running is below

SELECT DISTINCT dv.title AS “Vulnerability Title”,ds.summary AS “Solution Summary”, proofAsText(ds.fix) AS “Solution Steps”,da.asset_id AS “Asset ID”,

da.ip_address AS “IP Addresse”, da.host_name AS “Host Name”, da.mac_address AS “MAC Address”,da.sites AS “Sites”, dos.description AS “Operating System”,

ds2.name AS “Service Name”, fasvi.port AS “Service Port”, dv.severity AS “Severity”,round(cast(dv.cvss_score as numeric), 1) AS “CVSS Score”,

dv.date_published AS “Vuln Published Date”, dv.description AS “Vuln Description”, proofAsText(fasvi.proof) AS “Proof”,

dv.cvss_vector AS “CVSSv2”,dv.cvss_v3_vector AS “CVSSv3”,dv.vulnerability_id AS “Vuln ID”,

(SELECT array_to_string(array_agg(reference), ‘,’) FROM dim_vulnerability_reference WHERE source = ‘CVE’ AND vulnerability_id = dv.vulnerability_id) AS cves

FROM fact_remediation(25, ‘riskscore DESC’) AS fr

JOIN dim_solution AS ds ON fr.solution_id = ds.solution_id

JOIN dim_asset_vulnerability_solution davs ON fr.solution_id = davs.solution_id

JOIN dim_asset AS da ON davs.asset_id = da.asset_id

JOIN dim_operating_system dos ON (dos.operating_system_id = da.operating_system_id)

JOIN dim_vulnerability dv ON (dv.vulnerability_id = davs.vulnerability_id)

JOIN fact_asset_scan_vulnerability_instance fasvi ON (fasvi.vulnerability_id = dv.vulnerability_id AND fasvi.asset_id = da.asset_id)

JOIN dim_service ds2 ON (ds2.service_id = fasvi.service_id)

JOIN dim_asset_service_configuration dasc ON (dasc.service_id = ds2.service_id)

JOIN dim_vulnerability_reference dvr ON (dvr.vulnerability_id = dv.vulnerability_id)

If you are running this against a data warehouse, the data model is different than what is being used on the backend of the Security Console.

In short, fact_remediation is not available in the data warehouse schema, so you will need to convert the query to support the DW schema.

3 Likes