Splunk® Asset and Risk Intelligence

Administer Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Add or modify a data source in Splunk Asset and Risk Intelligence

You can manage data sources in Splunk Asset and Risk Intelligence by adding known or custom data sources and by modifying existing data sources.

Add a known data source

Splunk Asset and Risk Intelligence comes with a number of configured data sources. To add one of these known data sources, complete the following steps:

  1. Select Admin then Data sources and then Data source management.
  2. Select Add data source configuration.
  3. From the drop-down list, select Add known data source.
  4. From the list of known data sources, choose the data source you want to add. You can search for it by name or by source type.
  5. (Optional) Edit the nickname and source type. After you select a data source, Splunk Asset and Risk Intelligence populates the nickname and source type automatically. You can modify these field values before adding the source.
  6. Select Add source.

Add a custom data source

If you want to add a source that's not included in the list of known data sources, you can add a custom data source. To add a custom data source, complete the following steps:

  1. Select Admin then Data sources and then Data source management.
  2. Select Add data source configuration.
  3. From the drop-down list, select Add custom data source.
  4. Select the data source type. See Data source types for a description of the different data source types.
  5. Enter a nickname. The nickname is the display name for the data source, and it must be unique for each data source.
  6. Select the Category and Vendor.
  7. Turn on the toggle switch for the inventories you want to assign the data source to.
  8. Select whether or not to make the data source passive by turning the toggle switch on or off. A data source with a static data type, such as a CSV file upload, is a passive data source. Passive data sources don't have a reliable way of reporting a last detection date for when the assets were last active on the network. For passive data sources, Splunk Asset and Risk Intelligence doesn't label an asset as active if it was only discovered on that data source.
  9. (Optional) Select the toggle switch to turn on compliance window monitoring, and then enter a compliance window in seconds. The compliance window is the expected frequency that Splunk Asset and Risk Intelligence receives data from the source. If you turn on compliance window monitoring, you can see whether or not Splunk Asset and Risk Intelligence receives data from that source within the specified window. If you don't want to set a particular compliance window time, enter 0.
  10. Select Add.

Modify an existing data source

To modify an existing data source, complete the following steps:

  1. Select Admin then Data sources and then Data source management.
  2. Select the settings icon ( settings ) next to the source you want to modify.
  3. Make your changes.
  4. Select Update.

You can't rename a data source. Instead, delete the existing data source and create a new one.

You can also clone or delete an existing data source by selecting the more icon ( more ) next to the source on the Data source management page.

Last modified on 05 August, 2024
Identify data sources and filter by relevant events in Splunk Asset and Risk Intelligence   Create and modify event searches in Splunk Asset and Risk Intelligence

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters