Splunk® Asset and Risk Intelligence

Administer Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Troubleshoot Splunk Asset and Risk Intelligence

To find troubleshooting steps for resolving issues you might face with Splunk Asset and Risk Intelligence, see the following list:

User can't save filters

Sometimes when a user can't save filters on the asset discovery pages, it's because they don't have the correct capability added to their role. To add the capability for saving filters to a user's role, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin and then Permission settings.
  2. Select Add role capabilities.
  3. Using the drop-down list, select the user's role that you want to edit.
  4. Select the ari_save_filters capability.
  5. Select Add.

You must have the ari_admin role to edit roles in Splunk Asset and Risk Intelligence.

For more details on roles and capabilities, see Set up roles and capabilities for Splunk Asset and Risk Intelligence.

The Network asset investigation page doesn't update records in the record panel

Sometimes while investigating an asset, you might notice that the record panel doesn't update on the Network asset investigation page. For example, you might notice that an IP address is out-of-date and that the latest IP address doesn't appear. The data source that provided the IP address might have a higher priority than other data sources. As a result, the data source might have stopped sending data, and other lower priority data sources are not overwriting the IP address with a newer IP address.

To resolve this issue, you can reassign data source priorities as needed by completing the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin then Data sources and then Data source management.
  2. In the Configured data sources table, locate the data source you want to prioritize.
  3. Select the settings icon ( settings ) for that source.
  4. Using the drop-down list in the Data source inventory priorities section, select the new priority level for the network inventory.
  5. Select Update.

For more details on data source priorities, see Assign data source priorities in Splunk Asset and Risk Intelligence.

User can't manage metrics, add exceptions, or create alerts

Sometimes when a user can't manage metrics, add exceptions, or create alerts, it's because they don't have the correct capabilities added to their role. To add the capabilities for managing metrics to a user's role, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin and then Permission settings.
  2. Select Add role capabilities.
  3. Using the drop-down list, select the user's role that you want to edit.
  4. Select the ari_manage_report_exceptions, ari_dashboard_add_alerts, ari_manage_posture_settings, and the ari_manage_metric_settings capabilities.
  5. Select Add.

You must have the ari_admin role to edit roles in Splunk Asset and Risk Intelligence.

For more details on roles and capabilities, see Set up roles and capabilities for Splunk Asset and Risk Intelligence.

There are missing icons on the Data source management page

If there are no action icons on the Data source management page, you might not have the correct capability to manage data sources. To add the capability for managing data sources, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin and then Permission settings.
  2. Select Add role capabilities.
  3. Using the drop-down list, select the user's role that you want to edit.
  4. Select the ari_manage_data_source_settings capability.
  5. Select Add.

You must have the ari_admin role to edit roles in Splunk Asset and Risk Intelligence.

For more details on roles and capabilities, see Set up roles and capabilities for Splunk Asset and Risk Intelligence.

Welcome message continues to appear after dismissal

Sometimes the dialog box with the Splunk Asset and Risk Intelligence welcome message continues to appear even after selecting "Dismiss". This happens because new versions of the app often contain updated Javascript code and other files that your browser typically caches. To resolve this issue, you must clear your cache or run the bump command.

User adds a data source but can't see any data

Sometimes after adding a data source, you might not see any fields or values populated when validating the data source. There are several potential causes for this. To troubleshoot, complete the following checks:

Make sure the search time window captures the data

  1. In Splunk Asset and Risk Intelligence, select Admin then Data sources and then Data source management.
  2. In the Configured data sources table, locate the data source you want to modify.
  3. Select the more icon ( more ).
  4. Select Validate data source.
  5. Select a new time for the Search time window. A longer time frame captures more data.

Make sure the data source adheres to the correct field mapping

In Splunk Asset and Risk Intelligence, data sources must have a common set of field mappings across each of the inventories. Splunk Asset and Risk Intelligence automatically maps the fields in known data sources to the relevant inventories. However, you must map certain fields in custom data sources to the appropriate inventories. For example, the IP inventory captures all IP addresses associated with network assets. Data sources mapped to this inventory must contain the ari_ip field. See Data source field mapping reference.

Make sure the data source has a priority set for the correct inventory

  1. In Splunk Asset and Risk Intelligence, select Admin then Data sources and then Data source management.
  2. In the Configured data sources table, locate the data source you want to prioritize.
  3. Select the settings icon ( settings ) for that source.
  4. Using the drop-down lists in the Data source inventory priorities section, select the new priority level for the inventory you're validating. For example, if you're validating against an IP address inventory type, then the data source must have a priority set for the IP inventory.
  5. Select Update.

For more details on data source priorities, see Assign data source priorities in Splunk Asset and Risk Intelligence.

Manually run a batched search by generating a source summary

If you added a batched data source, the source might not have generated the data yet, and validation will not work. Batched data sources run on a schedule, which is typically once per hour or once per day. You can run the search outside of its schedule by completing the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin then Data sources and then Data source management.
  2. In the Configured data sources table, locate the data source you want to run the event search for.
  3. Select the search icon ( search ) for that source.
  4. Select Generate summary now in the Manage Event Search dialog box to run the batched search immediately.
  5. Validate the source again by selecting the more icon ( more ) and then Validate data source.
Last modified on 05 August, 2024
Splunk REST API reference for Splunk Asset and Risk Intelligence  

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1, 1.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters