Splunk® Asset and Risk Intelligence

Administer Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Add metric exceptions in Splunk Asset and Risk Intelligence

Exclude particular assets from a metric calculation by adding a metric exception. When you add a metric exception, any assets that are in scope for the metric, but also meet your exception criteria, are excluded in the metric calculation. However, you can still see the omitted assets listed in the metric dashboard.

Adding a metric exception is helpful when there are assets that are typically compliant with the metric, but there is an exceptional reason why those assets are not compliant. For example, if there are servers running a legacy operating system, you might want to exclude them from your metric calculation because Splunk Asset and Risk Intelligence labels those servers as defects.

To filter the scope of your metric, such as filtering out workstations, rather than adding an exception, see Edit metric settings.

Add a manual metric exception

There are two ways you can manually add a metric exception:

  • Add an exception from a metric dashboard
  • Add an exception from the Metric exceptions page

Add an exception from a metric dashboard

To add a metric exception from a particular metric dashboard, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Risk and then Metrics.
  2. Select the metric you want to add exceptions to.
  3. In the Metric details table, select the check boxes for the records you want to exclude.

    You can filter the list of records by toggling between Defects and Compliant.

  4. Select Exceptions and then Add selected exceptions.

    You can also select View all exceptions to open the Metric exceptions page.

  5. Enter a Note for the exception. The note is recorded as the exception_reason.
  6. (Optional) Select the toggle switch to turn on Exception expiry. By turning on this option, you can create a temporary exception by designating a time period until the exception expires. For example, you can enter 15 to remove the exception after 15 days.
  7. Select Add.

After you add an exception, you can find it on the Metric exceptions page by selecting View all exceptions or by selecting the single value exception panel on the metric dashboard.

Add an exception from the Metric exceptions page

To add a metric exception from the Metric exceptions page, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Risk then Metrics and then Metric exceptions.
  2. Select Add exception.
  3. Using the drop-down list, select the Metric that you want to add an exception to.
  4. Enter the Exception value. For example, if you select NT Host for the field, enter the hostname for the exception value.
  5. Enter a reason for adding the exception.
  6. (Optional) Select the toggle switch to turn on Exception expiry. By turning on this option, you can create a temporary exception by designating a time period until the exception expires. For example, you can enter 15 to remove the exception after 15 days.
  7. Select Add.

After you add an exception, you can find it in the Exception listing table. You can filter and search for particular exceptions by reason and by value.

For more details on adding and managing metric exceptions, see Add and manage metric exceptions in the Investigate Assets and Assess Risk in Splunk Asset and Risk Intelligence manual.

Add an automated metric exception using exception logic

If you want to add a more advanced exception to your metric, such as exclude assets with a particular naming convention, you can do so with the metric exception logic.

Each metric has an exception logic where you can identify the assets to exclude from the given metric. Splunk Asset and Risk Intelligence turns off exception searches by default.

To activate an exception search and edit the exception logic, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin then Risk management and then Metric and framework management.
  2. In the Metrics table, select the more icon ( more ) for the metric you want to edit.
  3. Select Edit exception logic.
  4. Review the logic for the metric opportunities.
  5. Edit the Exception logic.
    1. Enter a schedule in cron format to designate when the search runs.
    2. (Optional) Select the toggle switch to turn on Exception expiry. By turning on this option, you can create a temporary exception by designating a time period until the exception expires. For example, you can enter 15 to remove the exception after 15 days.
    3. Modify the search. The search identifies assets that are exceptions. Exceptions can be any of the fields in the Opportunities section.
    4. Enter a reason. You can enter a reason in quotes or in an if() / case() eval statement.
    5. (Optional) Test the logic by selecting Preview.
  6. Activate the exception search by changing the toggle switch to Active.
  7. Select Update.

After you activate the exception search and it runs in accordance with the specified schedule, you can find your updated metric exception by navigating to Risk then Metrics and then Metric exceptions in Splunk Asset and Risk Intelligence.

Last modified on 28 February, 2025
Create and manage metrics in Splunk Asset and Risk Intelligence   Create and manage risk scoring rules in Splunk Asset and Risk Intelligence

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters