Add a custom field in Splunk Asset and Risk Intelligence
Add business-specific custom fields by populating the custom data inventory with the field values for each asset.
Add a custom field
To add a custom field to Splunk Asset and Risk Intelligence, complete the following steps:
- In Splunk Asset and Risk Intelligence, select Admin then Data sources and then Custom data field management.
- Select Add field for the inventory you want to add a custom field to.
- Enter the field name.
- (Optional) Select the check box to hide the field from the asset record. Hiding the field removes it from the Record listing in the investigation view, such as Network asset investigation, for that specific inventory.
- Select Add.
- Populate custom data field values using the batched data source event search.
- From the Data sources page, select Data source management.
- Locate the data source containing the additional custom data fields you want to add. If there is no existing data source, you can create a custom data source.
- Select the search icon ( ).
- In the Manage event search dialog box, create or modify your search to populate your custom fields in the tabulated results set.
- Turn on the toggle switch to activate Custom data processing.
- Enter the relevant custom field search macro for the Custom data processing search. For example, if you're adding custom data fields to the network inventory, enter
`ari_update_network_asset_custom_data`
. - (Optional) To immediately populate the custom data fields you added, select Generate summary.
- Select Update.
After you add a custom field, you can find it by selecting Admin then Data sources and then Custom data field management.
To see a list of values for a custom field, select Admin then Data enrichment and then Custom data listing.
After you add custom fields, you can also see them on the relevant investigation views and use them in metrics. For example, if you added custom fields to the network asset inventory, then you can find them on the Network asset investigation page in the Record table while investigating an asset.
Custom field search macros
The following table lists the search macros you need to add for each inventory, and the fields required for that macro:
Macro | Required fields |
---|---|
`ari_update_network_asset_custom_data` | nt_host |
`ari_update_mac_asset_custom_data` | mac |
`ari_update_ip_asset_custom_data` | ip and ip_zone |
`ari_update_user_asset_custom_data` | user_id |
`ari_update_ip_asset_custom_data` | product and nt_host |
`ari_update_user_asset_custom_data` | signature and nt_host |
Data source field mapping reference | Manage asset inventory retention in Splunk Asset and Risk Intelligence |
This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1, 1.0.2
Feedback submitted, thanks!