Add metric exceptions in Splunk Asset and Risk Intelligence

Exclude particular assets from a metric calculation by adding a metric exception. When you add a metric exception, any assets that are in scope for the metric, but also meet your exception criteria, are excluded in the metric calculation. However, you can still see the omitted assets listed in the metric dashboard.

Adding a metric exception is helpful when there are assets that are typically compliant with the metric, but there is an exceptional reason why those assets are not compliant. For example, if there are servers running a legacy operating system, you might want to exclude them from your metric calculation because Splunk Asset and Risk Intelligence labels those servers as defects.

To filter the scope of your metric, such as filtering out workstations, rather than adding an exception, see Edit metric settings.

Add a metric exception

There are two ways you can add a metric exception:

• Manually enter assets to exclude from a metric on the Metric exceptions page
• Select particular assets to exclude from a metric dashboard

To add a metric exception on the Metric exceptions page, complete the following steps:

1. In Splunk Asset and Risk Intelligence, select Risk and then Metric exceptions.
2. Select Add exception.
3. Using the drop-down list, select the Metric that you want to add an exception for.
4. Enter the Exception value. For example, if you select NT Host for the field, enter the hostname for the exception value.
5. (Optional) Enter a reason for adding the exception.
6. Select Add.

After you add an exception, you can find it in the Exception listing table. You can filter and search for particular exceptions by reason and by value.

To add a metric exception from a particular metric dashboard, complete the following steps:

1. In Splunk Asset and Risk Intelligence, select Risk and then Metrics.
2. Select the metric you want to add exceptions to.
3. In the Metric details table, select the check boxes for the assets you want to exclude.
4. Select Exceptions and then Add selected exceptions.

For more details on adding and managing metric exceptions, see Add and manage metric exceptions in the Investigate Assets and Assess Risk in Splunk Asset and Risk Intelligence manual.

Add a metric exception with an exception search

If you want to add a more advanced exception to your metric, such as exclude assets with a particular naming convention, you can do so with the metric exception search.

Each metric has an exception search where you can identify the assets to exclude from the given metric. Splunk Asset and Risk Intelligence turns off exception searches by default.

To activate an exception search and edit the exception logic, complete the following steps:

1. In Splunk Asset and Risk Intelligence, select Admin then Risk management and then Metric and framework management.
2. In the Metrics table, select the more icon ( ) for the metric you want to edit.
3. Select Edit exception search.
4. Review the logic for the metric opportunities.
5. Edit the Exception logic.
   1. Enter a schedule in cron format to designate when the search runs.
   2. Modify the search. The search identifies assets that are exceptions. Exceptions can be any of the fields in the Opportunities section.
   3. Enter a reason. You can enter a reason in quotes or in an if() / case() eval statement.
   4. (Optional) Test the logic by selecting Preview.
6. Activate the exception search by changing the toggle switch to Active.
7. Select Update.

After you activate the exception search and it runs in accordance with the specified schedule, you can find your updated metric exception by navigating to Risk and then Metric exceptions in Splunk Asset and Risk Intelligence.