Splunk® Asset and Risk Intelligence

Administer Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Customize settings in Splunk Asset and Risk Intelligence

As an admin, you can customize your experience with Splunk Asset and Risk Intelligence by modifying the configuration settings.

Turn on or turn off discovery searches

See Turn on or turn off discovery searches in Splunk Asset and Risk Intelligence.

Modify the default configurations

You can modify default settings such as the business name, data source compliance window, metric and risk defaults, and more.

Add a business name

Splunk Asset and Risk Intelligence automatically includes a field called business to every discovered asset or identity.

To update the default business name, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin and then Configuration settings.
  2. Enter a name for Business name.
  3. Select Update.

Individual data sources can override the default business name field. You can also use the bunit field within data sources to denote a specific business unit.

Set the data source compliance window

The Operational health dashboard uses the data source compliance window for each data source. The window is set to one day (86400 seconds) by default, but you can change the default window or customize it for each data source.

To set the default data source compliance window, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin and then Configuration settings.
  2. Enter a time in seconds for Data source compliance window.
  3. Select Update.

Set the number of licensed assets

Set the number of licensed assets to compare the number of assets discovered over the past 30 days against the number of licensed assets. By default, you have 20,000 licensed assets.

To set the number of licensed assets, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin and then Configuration settings.
  2. Enter a Number of licensed assets.
  3. Select Update.

Edit asset type defaults

Add or remove allowable asset types. See Add and manage asset types in Splunk Asset and Risk Intelligence.

Edit risk scoring defaults

Edit default values associated with risk scoring.

  1. In Splunk Asset and Risk Intelligence, select Admin and then Configuration settings.
  2. Select Edit for Risk scoring defaults.
  3. Enter default risk level scores for each risk level.
  4. Use the drop-down list to select a Risk processing schedule and determine how often risk scoring processing runs. By default the schedule is 1 day.
  5. Enter a Default risk score period (sec). The risk score period is the time after risk rule detection, for a given asset, that the score for that risk rule contributes to the overall total risk score. By default this value is 86400 seconds, or 1 day, but you can also modify it at the rule level.
  6. Select Update.

Configure metric split by settings

Split up a metric by a particular field so that you can filter your metric dashboards without creating new metrics. For example, a large company might want to see metric data for each of its business units. Instead of creating a new metric for each business unit, you can split the metric by the bunit field. Then, when viewing the metric dashboard, you can select bunit in the Split by drop-down list.

See Split a metric by fields.

Turn on or turn off entity zones

Turn on or turn off entity zones, which you can use in cases of overlapping IP ranges. To turn on entity zones, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin and then Configuration settings
  2. Toggle the Enable zones switch to turn it on.

    Even when zones are turned off, all records have a zone of default. You can find this default value for the ip_zone field in the inventories and the subnet directory.

  3. After you turn on entity zones, you must specify a zone field for any configured data sources pertaining to that zone. Use thecim_entity_zone field to specify any zone other than default. You can populate this field using the Splunk calculated field function or a lookup. If you don't populate the cim_entity_zone, then it gets assigned a zone value of default.

After you turn on entity zones and add them to configured data sources, you can search for specific zones in dashboards such as Asset discovery and Asset investigation.

You can also use the subnet directory to provide additional context about entity zones. To add zones to the company subnet directory, see Add entity zones to the company subnet directory.

If you configure the Splunk Enterprise Security integration, the ip_zone field becomes the cim_entity_zone field. If the zone has a value of default in Splunk Asset and Risk Intelligence, then the value becomes null with the integration so that it doesn't conflict with the default value of zone in Splunk Enterprise Security.

Set UI preferences

You can customize your view in Splunk Asset and Risk Intelligence by setting the default discovered time range, setting default countries, editing the homepage, and resetting the navigation menu.

Set default discovered time range

For large inventories, you can reduce the load time on discovery views by setting a shorter default time range and loading a smaller set of results. To set the default discovered time range, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin and then Configuration settings.
  2. In the Discovery section, use the drop-down list to select a Default discovered time range.

Set default and primary countries

To avoid scrolling through country lists, you can specify countries to appear at the top of any drop-down country list in Splunk Asset and Risk Intelligence. To set default and primary countries, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin and then Configuration settings.
  2. If you want to set default countries, or countries that appear at the top of lists for users to select from, select the countries in Default country selection.
  3. If you want to set a primary country, or one that appears at the very top of lists for users to select from, use the drop-down list for Primary country selection to select a country.
  4. Select Update.

Edit homepage default settings

To edit the view of the homepage, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin and then Configuration settings.
  2. In the Homepage section, you can customize the following items:
    • Asset count search time range: Use the drop-down list to select which time range to show assets from. Selecting All time might cause a longer load time of the homepage due to a larger number of records.
    • Metric panels per row: Select how many metric panels appear on the homepage per row. The default number of panels per row is 3.
    • Risk scoring charts: Turn on or turn off risk scoring charts to show or hide them on the homepage.

Reset the navigation menu

If a user added their own dashboards to the Splunk Asset and Risk Intelligence menu, you can reset the navigation menu to the default setting. You might also want to reset the navigation menu after upgrading the app. To reset the navigation menu, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin and then Configuration settings.
  2. Select Reset navigation menus to default.

Delete data

You can delete data from Splunk Asset and Risk Intelligence including inventory data, association data, asset notes, and metric exceptions.

To delete data, complete the following steps:

Deleting data permanently deletes it from Splunk Asset and Risk Intelligence.

  1. In Splunk Asset and Risk Intelligence, select Admin and then Configuration settings.
  2. In the Danger zone section, select Delete data for the data you want to delete:
    • Inventory data: includes all discovery data from the asset, IP, identity, MAC, software, and vulnerability inventories
    • Custom inventory data: includes any custom field values added to inventories
    • Association data: includes first and last name associations between assets, identities, IP addresses, and MAC addresses
    • Other data: includes asset notes and metric exceptions
    • Metrics and frameworks: includes metrics, exceptions, and cybersecurity frameworks
    • Reset enrichment lookups: includes custom additions to geolocations, user agents, default accounts, legacy OS and mac vendor enrichment lookups

      Deleting this data resets enrichment lookups back to the default content.

Last modified on 28 February, 2025
Manage asset inventory retention in Splunk Asset and Risk Intelligence   Turn on or turn off discovery searches in Splunk Asset and Risk Intelligence

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters