Splunk® Asset and Risk Intelligence

Administer Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Monitor, export, and share audit data in Splunk Asset and Risk Intelligence

You can monitor, export, and share audit data in Splunk Asset and Risk Intelligence from several available audit reports. You might want to review audit reports, for example, before and after you upgrade the Splunk Asset and Risk Intelligence app. To access audit data, select Admin and then Audit.

The following table outlines the available audit reports and what you can do with each one:

Audit report Description
Configuration audit The Configuration audit page reports on local configurations, which include changes that override the original configuration, and additional configurations, which include added changes that don't override the original configuration. The result column displays either a value of different or identical, which describes how the item compares to the original configuration. To find a particular configuration change, you can filter by type, file, and more.
Configuration healthcheck You can use the Configuration healthcheck page to monitor for errors with configured metrics and data sources. You can also monitor current knowledge objects, such as default user accounts, and compare them against the expected knowledge objects.
Sharing audit Some objects, such as dashboards or saved searches, in Splunk Asset and Risk Intelligence are shared only within the app, while others are shared globally with other apps. You can review the sharing status of objects on the Sharing audit page, and you can filter objects by type, such as lookups or macros.
Operational logs On the Operational logs page, you can view configuration changes, app sharing changes, and report downloads completed by users. You can also filter the logs by user.
License usage The License usage page reports on license usage based on the limit set on the Configurations settings page. You can set the license limit for this dashboard by selecting Admin then Configuration settings and then editing the Licence asset usage limit in the Default configurations section.

Export inventory data

You can download any of the following Splunk Asset and Risk Intelligence inventories as a CSV or JSON file:

  • Network
  • IP
  • User
  • MAC
  • Software
  • Vulnerability
  • Splunk Enterprise Security assets
  • Splunk Enterprise Security identities

To export inventory data, complete the following steps:

  1. Select Admin then Audit and then Data export.
  2. Using the drop-down list, select the inventory you want to download. For example, Network asset inventory.
  3. Select Download.
  4. Enter a filename.
  5. Select CSV or JSON for the Output format.
  6. Select Download.

Monitor the operational health of Splunk Asset and Risk Intelligence

As an admin, you can monitor Splunk Asset and Risk Intelligence operations by auditing the operational health dashboard. To view the dashboard, select Admin and then Operational health.

The operational health dashboard includes information on data source compliance, internal lookup health, processing search times, KV store details, and more. You can use this data to report on the health of Splunk Asset and Risk Intelligence. For example, you might find that the processing time for a search is particularly high. A high processing time might indicate a high search load on the Splunk search head.

Last modified on 05 August, 2024
Create and manage cybersecurity frameworks in Splunk Asset and Risk Intelligence   Activate integration with Splunk Enterprise Security in Splunk Asset and Risk Intelligence

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1, 1.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters