Manage enrichment rules in Splunk Asset and Risk Intelligence
Using rules-based artificial intelligence, Splunk Asset and Risk Intelligence can normalize, enrich, and add field values in its inventories. For example, using enrichment rules, Splunk Asset and Risk Intelligence can normalize the values "Microsoft Windows Server 2003 R2" and "MS Win 2003 Server" between two different data sources.
Each enrichment rule has at least one enrichment rule parameter, which contains input and output fields. The input and output fields represent asset record fields within the inventory. For example, an operating system enrichment rule might specify the os field as an input and then the os and asset_type fields as outputs. The following table provides examples of parameters for this particular enrichment rule:
input (os) | output (os) | output (asset_type) |
---|---|---|
*windows xp* | Windows XP | Workstation |
*osx 3* | Mac OSX 3 | Workstation |
Win2016 | Windows 2016 Server | Server |
Parameters aren't case-sensitive.
In this example, Splunk Asset and Risk Intelligence analyzes the data from the input field, or os, and uses it to do the following:
- Normalize the os field values to have consistent outputs
- Populate the asset_type field values
You can manage enrichment rules by doing the following:
- Add, edit, or delete enrichment rule parameters
- Create a new enrichment rule
- Modify the enrichment rule execution order
- Edit or delete an enrichment rule
Add, edit, or delete enrichment rule parameters
To add, edit, or delete an enrichment rule parameter, complete the following steps:
- In Splunk Asset and Risk Intelligence, select Admin then Data enrichment and then AI enrichment rules.
- Select the inventory for the rule you want to manage parameters for. For example, Network.
- Locate the rule in the enrichment rules table.
- Select the preferences icon ( ).
- To change the output field value of a parameter, select the settings icon ( ).
- Enter the new output field value.
- Select Update.
- To add a new rule parameter, select Add rule parameter.
- Enter the input and output field values.
- Select Add parameter.
- To delete a rule parameter, select the remove icon ( ), and then select OK.
- After you finish managing the enrichment rule parameters, select Close.
Create a new enrichment rule
To create a new enrichment rule, complete the following steps:
- In Splunk Asset and Risk Intelligence, select Admin then Data enrichment and then AI enrichment rules.
- Select the inventory you want to create a rule for. For example, Network.
- Select Add enrichment rule.
- Enter a name for the rule.
- Using the drop-down list, select the order number in which to run the rule.
- (Optional) Enter a description for the rule.
- Select an input and an output field. You must select at least one of each.
- Select Add.
Modify the enrichment rule execution order
Enrichment rules run in a particular order, which means that a particular asset field value might change with one rule before it's processed by another rule. For example, the rule with an Execution order of 1 runs before the rule with an execution order of 2. To change the order that the enrichment rules run, completing the following steps:
- In Splunk Asset and Risk Intelligence, select Admin then Data enrichment and then AI enrichment rules.
- Select the inventory you want to arrange the rule order for. For example, Network.
- In the Execution order column of the enrichment rules table, select the up and down arrow icon ( ) for the rule you want to arrange.
- Using the drop-down list, select a number to represent the new order for the rule.
- Select Update.
Edit or delete an enrichment rule
To edit or delete an enrichment rule, complete the following steps:
- In Splunk Asset and Risk Intelligence, select Admin then Data enrichment and then AI enrichment rules.
- Select the inventory you want to edit or delete a rule for. For example, Network.
- Locate the rule in the enrichment rules table.
- To edit a rule, select the settings icon ( ).
- If you want to activate or deactivate the rule, select the Active or Inactive toggle switch.
- If you want to edit the description, enter a new one.
- Select Update.
- To delete a rule, select the remove icon ( ), and then select Delete.
Set up directories for Splunk Asset and Risk Intelligence | Review internal enrichment data in Splunk Asset and Risk Intelligence |
This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1, 1.0.2
Feedback submitted, thanks!