To create or modify an event search, complete the following steps:

1. Select Admin then Data sources and then Data source management.
2. Select the search icon ( ) next to the data source you want to create or modify an event search for.
3. Enter your search using SPL. You must adhere to the Splunk Asset and Risk Intelligence field mappings. See Data source field mapping reference.
   Note: For real-time data sources, you can't use the pipe ( | ) operator. For batched data sources, event searches must result in a tabulated results set.
4. (Optional) Test the search by selecting Open in search.
5. Select Update.

Some event searches for batched data sources contain a mapped field called ari_lastdetect, which indicates when the record was last updated. If the ari_lastdetect field is present, Splunk Asset and Risk Intelligence uses this field as the last detection date for the data source event. If there is no ari_lastdetect field, then Splunk Asset and Risk Intelligence uses the _time field from when the batched event search runs.

Each identified data source in Splunk Asset and Risk Intelligence must have its relevant fields mapped to one or more data models. To validate that the data source has the appropriate field mapping, complete the following steps:

1. Select Admin then Data sources and then Data source management.
2. Select the more icon ( ) next to the data source you want to validate.
3. Select Validate data source.
4. Using the drop-down lists, select a time frame and an inventory type.
5. Audit the table results for fields that display a check mark for Required but an X for Values found. You can select the Hide missing fields check box to filter the results.
6. Select Close.

If you find a missing required field, modify the event search. See Create or modify an event search.