Assign data source priorities in Splunk Asset and Risk Intelligence

Prioritize data sources based on timeliness, accuracy, and completeness in Splunk Asset and Risk Intelligence. When Splunk Asset and Risk Intelligence aggregates data sources, there might be conflicts between field values. With prioritization, you can decide which data sources, and which particular fields, are the most accurate.

Splunk Asset and Risk Intelligence inventories store high priority field values over low priority field values regardless of the consecutive order of the data sources in which the fields came from. For example, two data sources might provide different values for the same field. Splunk Asset and Risk Intelligence keeps only one value for each field: the one with the highest priority. A field value can only be overwritten by a field value with an equal or higher priority.

You can also set a retention period for field values so that the priority reduces or clears after a specific time period. Setting a retention period is useful for aging out a stale field such as an IP address. See Modify the retention period for asset inventory fields.

You can prioritize sources at the data source level and at the field level. When you prioritize a source at the data source level, Splunk Asset and Risk Intelligence assigns each field value from that data source the same priority. You can be more granular by prioritizing a source at the field level, which allows you to assign different priorities to each individual field from a data source. For example, a data source might have a priority level of High, but the IP address from that data source can have an individual field level priority of Highest.

Prioritize a source at the data source level

To prioritize a data source, complete the following steps:

1. Select Admin then Data sources and then Data source management.
2. Select the settings icon ( ) next to the data source you want to set a priority for.
3. Select a priority level for each inventory.
4. Select Update.
5. (Optional) If you're decreasing an existing priority level, you can select Reset priority in the resulting dialogue box to update the priority for searches run in your specified time window. Select Run priority reset to apply the changes to your selected inventories.

Prioritize a source at the field level

Sometimes a low-priority data source might have a high-priority field. You can use data source field prioritization to overwrite high-priority data sources when a low-priority source has a particularly accurate field. For example, a data source might not have accurate asset intelligence other than an IP address, which might have near real-time accuracy.

To prioritize a data source at the field level, complete the following steps:

1. Select Admin then Data sources and then Data source management.
2. Select the more icon ( ) next to the data source you want to set a priority for.
3. Select Manage data source field priorities.
4. Select the inventory that you want to apply the field prioritization to.
5. Using the drop-down list, select the field name that you want to prioritize.
6. Set the priority for the selected field name.
7. Select Add.
8. To return to the data source management page, select Close.

Reprioritize data sources and fields

To reprioritize a data source or a data source field, complete the following steps:

1. Select Admin then Data sources and then Data source management.
2. To reprioritize a data source field, select the more icon ( ) next to the data source you want to change the field priority for.
   1. Select Manage data source field priorities.
   2. Select an inventory, and then use the drop-down lists to select a field and a new priority.
   3. Select Add.
   4. Select Close.
3. To reprioritize a data source, select the settings icon ( ) next to the data source you want to change the priority for.
   1. Using the drop-down lists, select a new priority level for each inventory.
   2. Select Update to save your changes.
4. (Optional) If you reduced any priority levels, you can reset the priority for existing data in the Data source priority reset dialog box.
   1. Select a Reset time window using the drop-down list. You can select a subset of records based on the last time the record was updated using the reset time window. For example, selecting Past 7 days resets the priority on all inventory records updated in the past 7 days.
   2. Select Run priority reset.

After you change the priority levels, the new priority levels apply as Splunk Asset and Risk Intelligence processes new data. Existing data that's already stored in the app maintains its existing priority level and doesn't reflect any changes you make unless you run a priority reset.

Run a priority reset

To run a priority reset for existing data, complete the following steps:

1. Select the settings icon ( ) next to the data source you want to reset the priority for.
2. Select Reset priority in the Edit data source dialog box.
3. Select a Reset time window using the drop-down list.
4. Select the check boxes for the inventories you want to reset.
5. Select Run priority reset.

A priority reset changes all data source field level priorities to the priority assigned to the data source.

See also

To automatically deprioritize a data source field after a particular period of time, see Manage asset inventory retention in Splunk Asset and Risk Intelligence.