Splunk® Asset and Risk Intelligence

Administer Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Manage enrichment rules in Splunk Asset and Risk Intelligence

Using rules-based artificial intelligence, Splunk Asset and Risk Intelligence can normalize, enrich, and add field values in its inventories. For example, using enrichment rules, Splunk Asset and Risk Intelligence can normalize the values "Microsoft Windows Server 2003 R2" and "MS Win 2003 Server" between two different data sources.

Each enrichment rule has at least one enrichment rule parameter, which contains input and output fields. The input and output fields represent asset record fields within the inventory. For example, an operating system enrichment rule might specify the os field as an input and then the os and asset_type fields as outputs. The following table provides examples of parameters for this particular enrichment rule:

input (os) output (os) output (asset_type)
*windows xp* Windows XP Workstation
*osx 3* Mac OSX 3 Workstation
Win2016 Windows 2016 Server Server

Parameters aren't case-sensitive.

In this example, Splunk Asset and Risk Intelligence analyzes the data from the input field, or os, and uses it to do the following:

  • Normalize the os field values to have consistent outputs
  • Populate the asset_type field values

You can manage enrichment rules by doing the following:

Add, edit, or delete enrichment rule parameters

To add, edit, or delete an enrichment rule parameter, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin then Data enrichment and then AI enrichment rules.
  2. Select the inventory for the rule you want to manage parameters for. For example, Network.
  3. Locate the rule in the enrichment rules table.
  4. Select the preferences icon ( preferences ).
  5. To change the output field value of a parameter, select the settings icon ( settings ).
    1. Enter the new output field value.
    2. Select Update.
  6. To add a new rule parameter, select Add rule parameter.
    1. Enter the input and output field values.
    2. Select Add parameter.
  7. To delete a rule parameter, select the remove icon ( remove ), and then select OK.
  8. After you finish managing the enrichment rule parameters, select Close.

Create a new enrichment rule

To create a new enrichment rule, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin then Data enrichment and then AI enrichment rules.
  2. Select the inventory you want to create a rule for. For example, Network.
  3. Select Add enrichment rule.
  4. Enter a name for the rule.
  5. Using the drop-down list, select the order number in which to run the rule.
  6. (Optional) Enter a description for the rule.
  7. Select an input and an output field. You must select at least one of each.
  8. Select Add.

Modify the enrichment rule execution order

Enrichment rules run in a particular order, which means that a particular asset field value might change with one rule before it's processed by another rule. For example, the rule with an Execution order of 1 runs before the rule with an execution order of 2. To change the order that the enrichment rules run, completing the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin then Data enrichment and then AI enrichment rules.
  2. Select the inventory you want to arrange the rule order for. For example, Network.
  3. In the Execution order column of the enrichment rules table, select the up and down arrow icon ( order ) for the rule you want to arrange.
  4. Using the drop-down list, select a number to represent the new order for the rule.
  5. Select Update.

Edit or delete an enrichment rule

To edit or delete an enrichment rule, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin then Data enrichment and then AI enrichment rules.
  2. Select the inventory you want to edit or delete a rule for. For example, Network.
  3. Locate the rule in the enrichment rules table.
  4. To edit a rule, select the settings icon ( settings ).
    1. If you want to activate or deactivate the rule, select the Active or Inactive toggle switch.
    2. If you want to edit the description, enter a new one.
    3. Select Update.
  5. To delete a rule, select the remove icon ( remove ), and then select Delete.
Last modified on 05 August, 2024
Set up directories for Splunk Asset and Risk Intelligence   Review internal enrichment data in Splunk Asset and Risk Intelligence

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1, 1.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters