Splunk® Asset and Risk Intelligence

Administer Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Add a custom field in Splunk Asset and Risk Intelligence

Add business-specific custom fields by populating the custom data inventory with the field values for each asset.

Add a custom field

To add a custom field to Splunk Asset and Risk Intelligence, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin then Data sources and then Custom data field management.
  2. Select Add field for the inventory you want to add a custom field to.
  3. Enter the field name.
  4. (Optional) Select the check box to hide the field from the asset record. Hiding the field removes it from the Record listing in the investigation view, such as Network asset investigation, for that specific inventory.
  5. Select Add.
  6. Populate custom data field values using the batched data source event search.
    1. From the Data sources page, select Data source management.
    2. Locate the data source containing the additional custom data fields you want to add. If there is no existing data source, you can create a custom data source.
    3. Select the search icon ( search ).
    4. In the Manage event search dialog box, create or modify your search to populate your custom fields in the tabulated results set.
    5. Turn on the toggle switch to activate Custom data processing.
    6. Enter the relevant custom field search macro for the Custom data processing search. For example, if you're adding custom data fields to the network inventory, enter `ari_update_network_asset_custom_data`.
    7. (Optional) To immediately populate the custom data fields you added, select Generate summary.
    8. Select Update.

After you add a custom field, you can find it by selecting Admin then Data sources and then Custom data field management.

To see a list of values for a custom field, select Admin then Data enrichment and then Custom data listing.

After you add custom fields, you can also see them on the relevant investigation views and use them in metrics. For example, if you added custom fields to the network asset inventory, then you can find them on the Network asset investigation page in the Record table while investigating an asset.

Custom field search macros

The following table lists the search macros you need to add for each inventory, and the fields required for that macro:

Macro Required fields
`ari_update_network_asset_custom_data` nt_host
`ari_update_mac_asset_custom_data` mac
`ari_update_ip_asset_custom_data` ip and ip_zone
`ari_update_user_asset_custom_data` user_id
`ari_update_ip_asset_custom_data` product and nt_host
`ari_update_user_asset_custom_data` signature and nt_host
Last modified on 05 August, 2024
Data source field mapping reference   Manage asset inventory retention in Splunk Asset and Risk Intelligence

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters