Create and modify event searches in Splunk Asset and Risk Intelligence

If you added a custom data source, you must create an event search using the Search Processing Language (SPL) to map the fields to data processing types. Splunk Asset and Risk Intelligence automatically adds a predefined event search for known data sources, so you don't need to create event searches for known data sources. However, you can modify the default event search.

Create or modify an event search

To create or modify an event search, complete the following steps:

  1. Select Admin then Data sources and then Data source management.
  2. Select the search icon ( search ) next to the data source you want to create or modify an event search for.
  3. Enter your search using SPL. You must adhere to the Splunk Asset and Risk Intelligence field mappings. See Data source field mapping reference.
    Note: For real-time data sources, you can't use the pipe ( | ) operator. For batched data sources, event searches must result in a tabulated results set.
  4. (Optional) Test the search by selecting Open in search.
  5. (Optional) For batched data sources, select the toggle switch to turn on Spread data processing. Then, enter a time in minutes to designate the data processing time frame. Event searches that return too many results can impact performance due to the size of the update on the KV store. If you have an event search that returns more than 200,000 results, you can spread data processing, which pushes all of the records to the KV store over a specified time frame rather than all at once. For example, if you have an event search that runs on a schedule of once per day and consistently returns more than 200,000 results, you can spread data processing over 30 minutes so that Splunk Asset and Risk Intelligence can push all of the records over a 30 minute time frame and reduce the impact on the KV store.
  6. (Optional) For batched data sources, select the toggle switch to turn on Add custom data. If you added custom data fields to your event search, you can select this option to add that custom data to the Splunk Asset and Risk Intelligence inventories. You must define the custom fields before adding them to the inventories. See Add a custom field in Splunk Asset and Risk Intelligence.
    For example, let's say a data source has a unique field called version that doesn't exist in the Splunk Asset and Risk Intelligence inventories. You can choose to add that field to an inventory so that you can track it against your assets.
    1. Select the Inventory where you want to add your custom data. For example, Asset.
    2. For the Mode, select whether you want to Merge or Overwrite the custom data. Overwriting the data means that each time the search runs, Splunk Asset and Risk Intelligence rewrites the values for each field, which removes any existing values and replaces them. Merging the data means that if a search run produces a value for a custom data field, Splunk Asset and Risk Intelligence adds it to the inventory without deleting the existing value.
    3. If you choose to overwrite the data, enter the fields that you want to overwrite.
  7. (Optional) To immediately populate custom data fields you added, select Generate summary.
  8. Select Update.

Some event searches for batched data sources contain a mapped field called ari_lastdetect, which indicates when the record was last updated. If the ari_lastdetect field is present, Splunk Asset and Risk Intelligence uses this field as the last detection date for the data source event. If there is no ari_lastdetect field, then Splunk Asset and Risk Intelligence uses the _time field from when the batched event search runs.

Validate a data source for appropriate event search field mapping

Each identified data source in Splunk Asset and Risk Intelligence must have its relevant fields mapped to one or more data models. To validate that the data source has the appropriate field mapping, complete the following steps:

Note: You can only validate batched data sources if you selected Generate summary in the Event search dialog box.
  1. Select Admin then Data sources and then Data source management.
  2. Select the more icon ( more ) next to the data source you want to validate.
  3. Select Validate data source.
  4. Using the drop-down lists, select a Search time window and a Processing type. By default, you can see only the processing types that the data source has been configured for. Select Display all types to choose from a list of all the Splunk Asset and Risk Intelligence processing types.
  5. Audit the table results for fields that display a check mark for Required but an X for Values found. You can deselect the Display all fields check box to filter the results.
  6. Select Close.

If you find a missing required field, modify the event search. See Create or modify an event search.