Monitor, export, and share audit data in Splunk Asset and Risk Intelligence

You can monitor, export, and share audit data in Splunk Asset and Risk Intelligence from several available audit reports. You might want to review audit reports, for example, before and after you upgrade the Splunk Asset and Risk Intelligence app. To access audit data, select Admin and then Audit.

The following table outlines the available audit reports and what you can do with each one:

Audit report Description
Configuration audit The Configuration audit page reports on local configurations, which include changes that override the original configuration, and additional configurations, which include added changes that don't override the original configuration. The result column displays either a value of different or identical, which describes how the item compares to the original configuration. To find a particular configuration change, you can filter by type, file, and more.
Configuration healthcheck You can use the Configuration healthcheck page to monitor for errors with configured metrics and data sources. You can also monitor current knowledge objects, such as default user accounts, and compare them against the expected knowledge objects.
Sharing audit Some objects, such as dashboards or saved searches, in Splunk Asset and Risk Intelligence are shared only within the app, while others are shared globally with other apps. You can review the sharing status of objects on the Sharing audit page, and you can filter objects by type, such as lookups or macros.
Operational logs On the Operational logs page, you can view configuration changes, app sharing changes, and report downloads completed by users. You can also filter the logs by user.
Data source audit Select from different inventories to find which data sources contribute to each field. You can choose to display by count or percentage. For example, the CMDB data source might contribute 200 records to the asset_class field. If the total count of records for that field is 800, then the percentage display for CMDB would be 25%.
License usage The License usage page reports on license usage based on the limit set on the Configurations settings page. You can set the license limit for this dashboard by selecting Admin then Configuration settings and then editing the License asset usage limit in the Default configurations section.

Export inventory data

You can download any of the following Splunk Asset and Risk Intelligence inventories as a CSV or JSON file:

  • Asset
  • IP
  • Identity
  • MAC
  • Software
  • Vulnerability
  • Splunk Enterprise Security assets
  • Splunk Enterprise Security identities

To export inventory data, complete the following steps:

  1. Select Admin then Audit and then Data export.
  2. Using the drop-down list, select the inventory you want to download. For example, Network asset inventory.
  3. Select Download.
  4. Enter a filename.
  5. Select CSV or JSON for the Output format.
  6. Select Download.

Monitor the operational health of Splunk Asset and Risk Intelligence

As an admin, you can monitor Splunk Asset and Risk Intelligence operations by auditing the operational health dashboard. To view the dashboard, select Admin and then Operational health.

The operational health dashboard includes information on data source compliance, internal lookup health, processing search times, KV store details, and more. You can use this data to report on the health of Splunk Asset and Risk Intelligence. For example, you might find that the processing time for a search is particularly high. A high processing time might indicate a high search load on the Splunk search head.

The following table defines the health statuses for processing searches:

Health status Description
GoodThe run-time is under 3 minutes.
OKThe run time is 3–4 minutes.
ElevatedThe run time is 4–5 minutes.
CriticalThe run time is over 5 minutes.
Note: Reconfigure the data source if the health status of a processing search is critical.

In the Data source health table, a data source is Noncompliant if the lastdetect_sec exceeds the compliance_window. A compliant result of N/A indicates that no compliance window has been set for the data source.