Splunk® Asset and Risk Intelligence

Release Notes

Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Known issues for Splunk Asset and Risk Intelligence

The following table includes known issues of Splunk Asset and Risk Intelligence. If no issues appear, then there are no known issues.

Date filed Issue description Workaround
2025-05-01 False error message "Maximum wait time reached" appears after selecting Generate summary on the Manage event search dialog box for a batched data source, or after selecting Run search on the Company user/subnet directory populating search dialog box. Ignore the error message. The searches still run successfully despite the appearance of the error message.
2025-04-04 The Operational health dashboard shows two risk-related searches, ari_srch_asset_crs_process and ari_srch_asset_risk_network_filter, as failing because there are no configured risk rules. Add a risk rule. See Add a risk scoring rule.
2025-04-04 Batched event data sources have blank searches and can't be edited or updated after upgrading. Data sources populating custom data fields can't be updated in Data source management because the Search for events box is blank.
  1. Navigate to Splunk Settings then Advanced Search and then Search Macros
  2. Search for the macro named ari_source_<id>_staging_search_custom_fields_macro where the <id> is the ID of the affected data source.
  3. Edit the macro and add the following text at the start of the macro: | fields *.
  4. Select Save.
2025-03-26 Processing searches for asset and IP processing fail after upgrade
  1. Navigate to Admin then Data enrichment and then Company subnet directory.
  2. Update the priority for an existing company subnet by selecting the edit icon for that entry in the actions column. Use the drop-down menu to select a new Priority, and then select Update.
  3. If there are no subnets in the list, add an entry by selecting the add icon ( + ) in the table. You can add any entry, such as 1.1.1.1/24, and then select Add.
2025-03-26 Can't add the lastdetect_<datasource_nickname> field to a metric The lastdetect_<datasource_nickname> field doesn't appear as an available field for use in the metric logic. Follow these steps to troubleshoot:
  1. Navigate to Admin then Data sources and then Data source management.
  2. Locate the data source you want to update in the table, and then select the edit icon in the Actions column.
  3. Select Update. Then you can return to the metric logic to find an available lastdetect_<datasource_nickname> field.
Last modified on 01 May, 2025
What's new in Splunk Asset and Risk Intelligence   Fixed issues for Splunk Asset and Risk Intelligence

This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters