Add a custom field in Splunk Asset and Risk Intelligence
Add business-specific custom fields to any of the following inventories in Splunk Asset and Risk Intelligence:
- Asset
- IP address
- Identity
- MAC address
- Software
- Vulnerability
To see a list of the default fields for each inventory, see Field reference for Splunk Asset and Risk Intelligence.
Add a custom field
There are two parts to adding custom data fields in Splunk Asset and Risk Intelligence:
- Part 1: Define the custom field for an inventory
- Part 2: Edit the event search for a batched data source
Part 1: Define the custom field for an inventory
To add a custom field to Splunk Asset and Risk Intelligence, complete the following steps:
- In Splunk Asset and Risk Intelligence, select Admin then Data sources and then Custom data field management.
- Select Add field for the inventory you want to add a custom field to.
- Enter the field name.
- (Optional) Select the check box to hide the field from the investigation view. Hiding the field removes it from the Record panel on the investigation page.
- Select Add.
Part 2: Edit the event search for a batched data source
To populate your custom fields, edit the event search for a batched data source. Make sure that the Search for events contains the custom fields you want to add. See Create or modify an event search.
View custom data field values
After you add a custom field, you can find it by selecting Admin then Data sources and then Custom data field management.
To see a list of values for a custom field, select Admin then Data enrichment and then Custom data listing.
| Data source field mapping reference | Manage asset inventory retention in Splunk Asset and Risk Intelligence |
This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.1.1
Download manual
Feedback submitted, thanks!