Splunk® Asset and Risk Intelligence

Administer Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Add or modify a data source in Splunk Asset and Risk Intelligence

You can manage data sources in Splunk Asset and Risk Intelligence by adding known or custom data sources and by modifying existing data sources.

Add a known data source

Splunk Asset and Risk Intelligence comes with a number of configured data sources. To add one of these known data sources, complete the following steps:

  1. Select Admin then Data sources and then Data source management.
  2. Select Add data source configuration.
  3. From the drop-down list, select Add known data source.
  4. (Optional) Turn on or turn off the toggle switch for Show only discovered data sources. When turned on, Splunk Asset and Risk Intelligence filters its list of known data sources to only the ones available in your environment. This option is on by default.
  5. From the list of known data sources, choose the data source you want to add. You can search for a data source by name or by source type. After you select a data source, you can see the following information:
    • Type: Whether the data source updates in batches or in real-time.
    • Method: How the data gets pulled in, such as by API or by forwarder.
    • Add-on: Whether or not the associated add-on is installed. The associated add-on must be installed in order to use the data source. If there is an ( x ) icon for the Installed field, select the link to the add-on to open Splunkbase.
    • Notes: A description of the source.
    • Processing: The types of data processing that Splunk Asset and Risk Intelligence uses for the data source.
  6. (Optional) Edit the nickname. After you select a data source, Splunk Asset and Risk Intelligence populates the nickname automatically. You can modify it before adding the source.
  7. For real-time data sources, update the Sourcetype if it's not correct. After you select a data source, Splunk Asset and Risk Intelligence populates the sourcetype automatically. Real-time sources might add knowledge objects tied to this sourcetype, so make sure the sourcetype matches the one you're using.
  8. Select Add source.

Add a custom data source

If you want to add a source that's not included in the list of known data sources, you can add a custom data source. To add a custom data source, complete the following steps:

  1. Select Admin then Data sources and then Data source management.
  2. Select Add data source configuration.
  3. From the drop-down list, select Add custom data source.
  4. Select the data source type. See Data source types for a description of the different data source types.
  5. Enter a nickname. The nickname is the display name for the data source, and it must be unique for each data source.
  6. Select the Category and Vendor.
  7. Turn on the toggle switch for the processing type you want to assign the data source to.
  8. Select whether or not to make the data source passive by turning the toggle switch on or off. A data source with a static data type, such as a CSV file upload, is a passive data source. Passive data sources don't have a reliable way of reporting a last detection date for when the assets were last active on the network. For passive data sources, Splunk Asset and Risk Intelligence doesn't label an asset as active if it was only discovered on that data source.
  9. (Optional) Select the toggle switch to turn on compliance window monitoring, and then enter a compliance window in seconds. The compliance window is the expected frequency that Splunk Asset and Risk Intelligence receives data from the source. If you turn on compliance window monitoring, you can see whether or not Splunk Asset and Risk Intelligence receives data from that source within the specified window. If you don't want to set a particular compliance window time, enter 0.
  10. Select Add.

Modify an existing data source

To modify an existing data source, complete the following steps:

  1. Select Admin then Data sources and then Data source management.
  2. Select the settings icon ( settings ) next to the source you want to modify.
  3. Make your changes.
  4. Select Update.

You can't rename a data source. Instead, delete the existing data source and create a new one.

You can also clone or delete an existing data source by selecting the more icon ( more ) next to the source on the Data source management page.

Last modified on 28 February, 2025
Identify data sources and filter by relevant events in Splunk Asset and Risk Intelligence   Create and modify event searches in Splunk Asset and Risk Intelligence

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters