Splunk® Industrial Asset Intelligence (Legacy)

Administer Splunk Industrial Asset Intelligence

Splunk Industrial Asset Intelligence reached its End of Sale on February 24, 2020.

Associate alarm data to your asset structure in Splunk IAI

If you have alarm data from industrial systems and software, you can associate those alarms to the assets in your asset hierarchy. This lets you view alarm data along with metrics data in the Analyze view.

This procedure is optional.



  1. Search to identify the data to associate.
  2. Label your data.
  3. Match unmatched assets.

Search to identify the data to associate

Run a search for the data that you want to associate to this asset hierarchy. Splunk IAI generates a table from your indexed data that you can use to identify your assets, alarms, and alarm messages.

  1. Click the Configure gear icon.
  2. Click the Asset Hierarchies tab.
  3. In the row of the asset hierarchy to which you want to associate data, click Associate Data in the Actions column.
  4. Enter this search query in the Search field, replacing <your index name> with the name of the event index that contains the alarm data that you want to associate with this asset hierarchy:

    index=<your index name> | fields asset alarm_name message _time index sourcetype

    You can replace message, alarm_name, and asset with other field names if your raw data is not normalized to the IoT common information model for alarm data, but these fields must exist in your data. The _time, index, and sourcetype fields are required.
  5. Click the magnifying glass icon to the right of the search field to search your data.

Up to 50 results appear in a table, presenting a sample of the index, assets, alarm names, and alarm messages from your indexed data.

Label your data

Label the columns to align your data to the required schema.

  1. Find the column that represents the names of assets in your environment.
  2. Click a row of the column that contains asset name data.
  3. In the drop-down menu that appears, select Assets.
  4. Find the column that represents the names of alarms in your environment.
  5. Click a row inside that column.
  6. In the drop-down menu that appears, select Alarm > Name.
  7. Find the column that represents the messages from the alarms in your environment. Not all alarms produce messages, so blank values are allowed.
  8. Click a row inside that column.
  9. In the drop-down menu that appears, select Alarm > Message.
  10. Confirm that the index field is visible.
  11. Click Next.

Splunk IAI uses the labels you applied to automatically map the data in your index to your asset hierarchy, matching up the assets in your data that are an exact match to the names of the assets you defined in your hierarchy.

Match unmatched assets

In the Match Unmatched Assets screen, Splunk IAI displays a list of assets from your hierarchy in the left column and a list of unmatched assets in your data in the right column. The assets for which Splunk IAI was able to find an exact match are labeled with a green checkmark icon. The remaining assets are labeled with a yellow triangle to indicate they are unmatched.

Match any unmatched assets by creating and uploading a mapping file. A mapping file correlates asset names from your data with asset names in your hierarchy so that Splunk IAI can map the data in your index correctly to your hierarchy.

  1. Create a two-column CSV file with this header row: hierarchy,source.
  2. In the Match Unmatched Assets screen, use the filters to navigate through the unmapped assets in your hierarchy and sample data to find the ones you want to match.
  3. Populate rows in your CSV file with asset names from your hierarchy and the asset names in your indexed data to which they correlate.

    In the hierarchy column of your CSV file, you must use the full path to the asset exactly as it appears in the column of assets from your hierarchy.

  4. Save the CSV file.
  5. Drag and drop the file you want to upload to the Drop your file here area on the page, or click Browse to navigate to the file. When you upload a valid mapping file, the summary of matched and unmatched assets changes to reflect the new mappings you provided in the file.
  6. Repeat as needed, using additional mapping files to match any remaining unmatched assets until you have matched all relevant items.
  7. Click Save.
Last modified on 18 March, 2019
Associate metrics data to your asset structure in Splunk IAI   Create groups of assets in Splunk IAI

This documentation applies to the following versions of Splunk® Industrial Asset Intelligence (Legacy): 1.2.1, 1.2.2, 1.3.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters