Manage asset inventory retention in Splunk Asset and Risk Intelligence

Splunk Asset and Risk Intelligence automatically stores asset records in its inventories for an indefinite period of time. Over time, your asset inventories can grow significantly in size. You might want to remove assets that haven't been active in a long time or assets that are no longer accurate. For example, imagine Splunk Asset and Risk Intelligence detects an IP address on a host. After over a month with no activity, the IP address still lacks any updates. As a result, some of the field values for this asset might not be accurate anymore, so you might want to remove the values assigned to particular fields within the inventory.

To manage the size of your asset inventories, you can modify the retention period for asset records, and you can also modify the retention period for particular field values.

Modify the retention period for asset inventory records

To modify the retention period for asset inventory records, complete the following steps:

CAUTION: Activating a retention period can result in the permanent deletion of data.
  1. In Splunk Asset and Risk Intelligence, select Configure then Data sources and then Inventory retention management.
  2. Select the settings icon ( settings ) for the inventory you want to modify.
  3. Enter a retention period in days for Last discovered over. The retention period is based on the last detected date in Splunk Asset and Risk Intelligence. If an asset hasn't been detected in the period of time you specify, Splunk Asset and Risk Intelligence removes it.

  4. Create a filter for the type of record you want to archive. For example, enter asset_type with the value "workstation" to only archive workstations that haven't been discovered in the time period you specified.

  5. In the Edit asset aging filter dialog box, activate the retention filter using the toggle switch.

  6. Select Update.

After you modify the retention period and activate it, you can find the updated data retention time for the inventory on the Inventory retention management page.

Modify the retention period for asset inventory fields

You can create rules to modify the retention period for particular fields within an inventory. To add an inventory rule, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Configure then Data sources and then Inventory retention management.
  2. In the Inventory field aging rules section, select Add rule.
  3. Using the drop-down list, select an inventory.
  4. Select the field name you want to modify the retention period for.
  5. Select the action you want to perform when the asset reaches the retention period.
    • Select Clear field to delete the field value after the asset reaches the retention period.
    • Select Reduce priority to allow other data sources to overwrite the field value after the asset reaches the retention period.
  6. Enter a retention period in seconds.
  7. Select Add.
  8. Select Modify status, and then activate the rule you created using the toggle switch.
    CAUTION: Activating a retention period can result in the permanent deletion of data.

After you add an inventory rule, you can find it listed on the Inventory retention management page in the Inventory field again rules table. You can edit the retention period again by selecting the settings icon ( settings ) for that rule, and you can remove the rule entirely by selecting the delete icon ( remove ).

Modify association record aging

Splunk Asset and Risk Intelligence records associations between key fields: ip, mac, nt_host, and user_id. You can modify the association record aging to remove any association combinations that have not been discovered for a defined period of time.
  1. In Splunk Asset and Risk Intelligence, select Configure then Data sources and then Inventory retention management.
  2. In the Association record aging section, select the settings icon in the table.
  3. Enter a number of days for Last discovered over. This identifies records that have not been discovered or detected in your specified period of time.
  4. Activate the aging period by turning on the toggle switch.
  5. Select Update.
After you modify and activate the association record aging, the aging period logic runs once per day.

Manually delete records

Manually delete specific records from one or more inventories.
  1. In Splunk Asset and Risk Intelligence, select Configure then Data sources and then Inventory retention management.
  2. Select the Manual delete tab.
  3. Select the inventory that contains the records you want to delete.
  4. Enter your search filter to identify the records you want to delete. See Filter discovery reports for steps on how to filter.
  5. Select Search.
  6. Delete records using either of the following methods:
    1. (Conditional) To delete individual records, select the check boxes for the ones you want to delete. Then select Delete and then Selected records.
    2. (Conditional) To delete all records, select Delete and then All records.
  7. Select OK to confirm you want to delete the records.