Known issues for Splunk Asset and Risk Intelligence

Version 1.1.3

The following table includes known issues of Splunk Asset and Risk Intelligence. If no issues appear, then there are no known issues.

Date filed Issue description Workaround
2025-04-04Batched event data sources have blank searches and can't be edited or updated after upgrading. Data sources populating custom data fields can't be updated in Data source management because the Search for events box is blank.
  1. Navigate to Splunk Settings then Advanced Search and then Search Macros
  2. Search for the macro named ari_source_<id>_staging_search_custom_fields_macro where the <id> is the ID of the affected data source.
  3. Edit the macro and add the following text at the start of the macro: | fields *.
  4. Select Save.
2024-08-22Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "makeresults" have more rows than expected. See Federated search issues.Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Version 1.1.2

The following table includes known issues of Splunk Asset and Risk Intelligence. If no issues appear, then there are no known issues.

Date filed Issue description Workaround
2025-05-01False error message "Maximum wait time reached" appears after selecting Generate summary on the Manage event search dialog box for a batched data source, or after selecting Run search on the Company user/subnet directory populating search dialog box.Ignore the error message. The searches still run successfully despite the appearance of the error message.
2025-04-04The Operational health dashboard shows two risk-related searches, ari_srch_asset_crs_process and ari_srch_asset_risk_network_filter, as failing because there are no configured risk rules.Add a risk rule. See Add a risk scoring rule.
2025-04-04Batched event data sources have blank searches and can't be edited or updated after upgrading. Data sources populating custom data fields can't be updated in Data source management because the Search for events box is blank.
  1. Navigate to Splunk Settings then Advanced Search and then Search Macros
  2. Search for the macro named ari_source_<id>_staging_search_custom_fields_macro where the <id> is the ID of the affected data source.
  3. Edit the macro and add the following text at the start of the macro: | fields *.
  4. Select Save.
2024-08-22Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "makeresults" have more rows than expected. See Federated search issues.Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

Version 1.1.1

The following table includes known issues of Splunk Asset and Risk Intelligence. If no issues appear, then there are no known issues.

Date filed Issue description Workaround
2025-03-26Processing searches for asset and IP processing fail after upgrade
  1. Navigate to Admin then Data enrichment and then Company subnet directory.
  2. Update the priority for an existing company subnet by selecting the edit icon for that entry in the actions column. Use the drop-down menu to select a new Priority, and then select Update.
  3. If there are no subnets in the list, add an entry by selecting the add icon ( + ) in the table. You can add any entry, such as 1.1.1.1/24, and then select Add.
2025-03-26Can't add the lastdetect_<datasource_nickname> field to a metricThe lastdetect_<datasource_nickname> field doesn't appear as an available field for use in the metric logic. Follow these steps to troubleshoot:
  1. Navigate to Admin then Data sources and then Data source management.
  2. Locate the data source you want to update in the table, and then select the edit icon in the Actions column.
  3. Select Update. Then you can return to the metric logic to find an available lastdetect_<datasource_nickname> field.