Assign data source priorities in Splunk Asset and Risk Intelligence

Prioritize data sources based on timeliness, accuracy, and completeness in Splunk Asset and Risk Intelligence. When Splunk Asset and Risk Intelligence aggregates data sources, there might be conflicts between field values. With prioritization, you can decide which data sources, and which particular fields, are the most accurate.

Splunk Asset and Risk Intelligence data processing stores high priority field values over low priority field values regardless of the consecutive order of the data sources in which the fields came from. For example, two data sources might provide different values for the same field. Splunk Asset and Risk Intelligence keeps only one value for each field: the one with the highest priority. A field value can only be overwritten by a field value with an equal or higher priority.

You can also set a retention period for field values so that the priority reduces or clears after a specific time period. Setting a retention period is useful for aging out a stale field such as an IP address. See Modify the retention period for asset inventory fields.

You can prioritize sources at the data source level and at the field level. When you prioritize a source at the data source level, Splunk Asset and Risk Intelligence assigns each field value from that data source the same priority. You can be more granular by prioritizing a source at the field level, which allows you to assign different priorities to each individual field from a data source. For example, a data source might have a priority level of High, but the IP address from that data source can have an individual field level priority of Highest.

Prioritize a source at the data source level

To prioritize a data source, complete the following steps:

1. Select Admin then Data sources and then Data source management.
2. Select the settings icon ( ) next to the data source you want to set a priority for.
3. Select a priority level for each type of data processing, such as Asset and Identity.
4. Select Update.
5. (Optional) If you're decreasing a priority level, you can select Run priority reset in the resulting dialog box to update the priority for existing data from a specified time window, such as Past 7 days. Select Skip if you don't want to change the priority of existing data. See Reprioritize and reset the priority of a data source.

Prioritize a source at the field level

Sometimes a low-priority data source might have a high-priority field. You can use data source field prioritization to overwrite high-priority data sources when a low-priority source has a particularly accurate field. For example, a data source might not have accurate asset intelligence other than an IP address, which might have near real-time accuracy.

To prioritize a data source at the field level, complete the following steps:

1. Select Admin then Data sources and then Data source management.
2. Select the more icon ( ) next to the data source you want to set a priority for.
3. Select Manage data source field priorities.
4. Select the type of data processing that you want to apply the field prioritization to.
5. Using the drop-down list, select the field name that you want to prioritize.
6. Set the priority for the selected field name.
7. Select Add.
8. Select Close to return to the Data source management page.

Reprioritize or reset the priority at the data source level

To reprioritize or reset the priority of a data source, complete the following steps:

1. Select Admin then Data sources and then Data source management.
2. Select the settings icon ( ) next to the data source you want to change the priority for.
3. Using the drop-down lists, select a new priority level for each data processing type.
4. To reset the priority for existing data, select Reset priority. A priority reset changes all data source field priorities to the priority assigned to the data source.
   1. Select a Reset time window using the drop-down list. You can select a subset of records based on the last time the record was updated using the reset time window. For example, selecting Past 7 days resets the priority on all records updated in the past 7 days.
   2. Select Run priority reset.
   3. Select Close.
5. Select Update to save your changes.

After you change the priority levels, the new priority levels apply as Splunk Asset and Risk Intelligence processes new data. Existing data that's already stored in the app maintains its existing priority level and doesn't reflect any changes you make unless you run a priority reset.

Reprioritize or reset the priority at the field level

To reprioritize or reset the priority of a field, complete the following steps:

1. Select Admin then Data sources and then Data source management.
2. Select the more icon ( ) next to the data source you want to change the field priority for.
3. Select Manage data source field priorities.
4. Select the data processing type where you want to reprioritize fields. For example, Identity.
5. Use the drop-down lists to select new priorities for any fields with an existing priority.
6. To reset the priority for one or more fields, select Reset priority. Resetting the priority for a field means that the priority changes not only for incoming data, but also for data that has already been ingested. For example, if you changed the priority of a field from High to Medium, you can choose to reassign the Medium priority to any values of that field updated in the past 7 days.
   1. Select a Reset time window to determine how far back you want to change the field priority.
   2. Select which fields you want to reset the priority for.
   3. Select Reset priorities.
7. Select Close.

See also

To automatically deprioritize a data source field after a particular period of time, see Manage asset inventory retention in Splunk Asset and Risk Intelligence.