Create and modify event searches in Splunk Asset and Risk Intelligence
If you added a custom data source, you must create an event search using the Search Processing Language (SPL) to map the fields to inventories. Splunk Asset and Risk Intelligence automatically adds a predefined event search for known data sources, so you don't need to create event searches for known data sources. However, you can modify the default event search.
Create or modify an event search
To create or modify an event search, complete the following steps:
- Select Admin then Data sources and then Data source management.
- Select the search icon ( ) next to the data source you want to create or modify an event search for.
- Enter your search using SPL. You must adhere to the Splunk Asset and Risk Intelligence field mappings. See Data source field mapping reference.
For real-time data sources, you can't use the pipe ( | ) operator. For batched data sources, event searches must result in a tabulated results set.
- (Optional) Test the search by selecting Open in search.
- Select Update.
Some event searches for batched data sources contain a mapped field called ari_lastdetect
, which indicates when the record was last updated. If the ari_lastdetect
field is present, Splunk Asset and Risk Intelligence uses this field as the last detection date for the data source event. If there is no ari_lastdetect
field, then Splunk Asset and Risk Intelligence uses the _time
field from when the batched event search runs.
Validate a data source for appropriate event search field mapping
Each identified data source in Splunk Asset and Risk Intelligence must have its relevant fields mapped to one or more data models. To validate that the data source has the appropriate field mapping, complete the following steps:
You can only validate batched data sources if you selected Generate summary in the Event search dialog box.
- Select Admin then Data sources and then Data source management.
- Select the more icon ( ) next to the data source you want to validate.
- Select Validate data source.
- Using the drop-down lists, select a time frame and an inventory type.
- Audit the table results for fields that display a check mark for Required but an X for Values found. You can select the Hide missing fields check box to filter the results.
- Select Close.
If you find a missing required field, modify the event search. See Create or modify an event search.
Add or modify a data source in Splunk Asset and Risk Intelligence | Assign data source priorities in Splunk Asset and Risk Intelligence |
This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1, 1.0.2
Feedback submitted, thanks!