Splunk® Asset and Risk Intelligence

Administer Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Troubleshoot Splunk Asset and Risk Intelligence

To find troubleshooting steps for resolving issues you might face with Splunk Asset and Risk Intelligence, see the following list:

User can't save filters

Sometimes when a user can't save filters on the asset discovery pages, it's because they don't have the correct capability added to their role. To add the capability for saving filters to a user's role, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin and then Permission settings.
  2. Select the check box for Save filters to add it to the ari_analyst or ari_admin role. By default, the ari_admin role has this capability.
  3. Select Save.

You must have the ari_admin role to edit roles in Splunk Asset and Risk Intelligence.

For more details on roles and capabilities, see Set up roles and capabilities for Splunk Asset and Risk Intelligence.

The asset investigation page doesn't update records in the record panel

Sometimes while investigating an asset, you might notice that the record panel doesn't update on the asset investigation page. For example, you might notice that an IP address is out-of-date and that the latest IP address doesn't appear. The data source that provided the IP address might have a higher priority than other data sources. As a result, the data source might have stopped sending data, and other lower priority data sources are not overwriting the IP address with a newer IP address.

To resolve this issue, you can reassign data source priorities as needed by completing the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin then Data sources and then Data source management.
  2. In the Configured data sources table, locate the data source you want to prioritize.
  3. Select the settings icon ( settings ) for that source.
  4. Using the drop-down list in the Data source processing priorities section, select the new priority level for the processing type.
  5. Select Update.

For more details on data source priorities, see Assign data source priorities in Splunk Asset and Risk Intelligence.

User can't manage metrics, add exceptions, or create alerts

Sometimes when a user can't manage metrics, add exceptions, or create alerts, it's because they don't have the correct capabilities added to their role. To add the capabilities for managing metrics to a user's role, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin and then Permission settings.
  2. For the appropriate role, select the check box for the following capabilities:
    • Manage metric exceptions
    • Add alerts
    • Manage metrics
    <br By default, the ari_admin role has these capabilities.
  3. Select Save.

You must have the ari_admin role to edit roles in Splunk Asset and Risk Intelligence.

For more details on roles and capabilities, see Set up roles and capabilities for Splunk Asset and Risk Intelligence.

There are missing icons on the data source management page

If there are no action icons on the Data source management page, you might not have the correct capability to manage data sources. To add the capability for managing data sources, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin and then Permission settings.
  2. Select the check box for Manage data sources to add it to the ari_analyst or ari_admin role. By default, the ari_admin role has this capability.

    In order for the ari_manage_data_source_settings capability to function, the user must have the admin_all_objects capability. Assign the user a role that contains the admin_all_objects capability, such as the Splunk platform sc_admin or admin role.

  3. Select Save.

You must have the ari_admin role to edit roles in Splunk Asset and Risk Intelligence.

For more details on roles and capabilities, see Set up roles and capabilities for Splunk Asset and Risk Intelligence.

User adds a data source but can't see any data

Sometimes after adding a data source, you might not see any fields or values populated when validating the data source. There are several potential causes for this. To troubleshoot, complete the following checks:

Make sure the search time window captures the data

  1. In Splunk Asset and Risk Intelligence, select Admin then Data sources and then Data source management.
  2. In the Configured data sources table, locate the data source you want to modify.
  3. Select the more icon ( more ).
  4. Select Validate data source.
  5. Select a new time for the Search time window. A longer time frame captures more data.

Make sure the data source adheres to the correct field mapping

In Splunk Asset and Risk Intelligence, data sources must have a common set of field mappings across each of the processing types. Splunk Asset and Risk Intelligence automatically maps the fields in known data sources to the relevant processing types. However, you must map certain fields in custom data sources to the appropriate processing types. For example, the IP processing captures all IP addresses associated with assets. Data sources mapped to this processing type must contain the ari_ip field. See Data source field mapping reference.

Make sure the data source has a priority set for the correct processing type

  1. In Splunk Asset and Risk Intelligence, select Admin then Data sources and then Data source management.
  2. In the Configured data sources table, locate the data source you want to prioritize.
  3. Select the settings icon ( settings ) for that source.
  4. Using the drop-down lists in the Data source processing priorities section, select the new priority level for the processing type you're validating. For example, if you're validating against an IP address processing type, then the data source must have a priority set for the IP processing.
  5. Select Update.

For more details on data source priorities, see Assign data source priorities in Splunk Asset and Risk Intelligence.

Manually run a batched search by generating a source summary

If you added a batched data source, the source might not have generated the data yet, and validation will not work. Batched data sources run on a schedule, which is typically once per hour or once per day. You can run the search outside of its schedule by completing the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin then Data sources and then Data source management.
  2. In the Configured data sources table, locate the data source you want to run the event search for.
  3. Select the search icon ( search ) for that source.
  4. Select Generate summary now in the Manage Event Search dialog box to run the batched search immediately.
  5. Validate the source again by selecting the more icon ( more ) and then Validate data source.
Last modified on 11 March, 2025
Splunk REST API reference for Splunk Asset and Risk Intelligence  

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters