Splunk® Asset and Risk Intelligence

Administer Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Create and modify event searches in Splunk Asset and Risk Intelligence

If you added a custom data source, you must create an event search using the Search Processing Language (SPL) to map the fields to inventories. Splunk Asset and Risk Intelligence automatically adds a predefined event search for known data sources, so you don't need to create event searches for known data sources. However, you can modify the default event search.

Create or modify an event search

To create or modify an event search, complete the following steps:

  1. Select Admin then Data sources and then Data source management.
  2. Select the search icon ( search ) next to the data source you want to create or modify an event search for.
  3. Enter your search using SPL. You must adhere to the Splunk Asset and Risk Intelligence field mappings. See Data source field mapping reference.

    For real-time data sources, you can't use the pipe ( | ) operator. For batched data sources, event searches must result in a tabulated results set.

  4. (Optional) Test the search by selecting Open in search.
  5. Select Update.

Some event searches for batched data sources contain a mapped field called ari_lastdetect, which indicates when the record was last updated. If the ari_lastdetect field is present, Splunk Asset and Risk Intelligence uses this field as the last detection date for the data source event. If there is no ari_lastdetect field, then Splunk Asset and Risk Intelligence uses the _time field from when the batched event search runs.

Validate a data source for appropriate event search field mapping

Each identified data source in Splunk Asset and Risk Intelligence must have its relevant fields mapped to one or more data models. To validate that the data source has the appropriate field mapping, complete the following steps:

You can only validate batched data sources if you selected Generate summary in the Event search dialog box.

  1. Select Admin then Data sources and then Data source management.
  2. Select the more icon ( more ) next to the data source you want to validate.
  3. Select Validate data source.
  4. Using the drop-down lists, select a time frame and an inventory type.
  5. Audit the table results for fields that display a check mark for Required but an X for Values found. You can select the Hide missing fields check box to filter the results.
  6. Select Close.

If you find a missing required field, modify the event search. See Create or modify an event search.

Last modified on 10 December, 2024
Add or modify a data source in Splunk Asset and Risk Intelligence   Assign data source priorities in Splunk Asset and Risk Intelligence

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1, 1.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters