Add a known data source
Splunk Asset and Risk Intelligence comes with a number of configured data sources. To add one of these known data sources, complete the following steps:
- Select Configure then Data sources and then Data source management.
- Select Add data source configuration.
- From the drop-down list, select Add known data source.
- (Optional) Turn on or turn off the toggle switch for Show only discovered data sources. When turned on, Splunk Asset and Risk Intelligence filters its list of known data sources to only the ones available in your environment. This option is on by default.
- From the list of known data sources, choose the data source you want to add. You can search for a data source by name or by source type. After you select a data source, you can see the following information:
- Type: Whether the data source updates in batches or in real-time.
- Method: How the data gets pulled in, such as by API or by forwarder.
- Add-on: Whether or not the associated add-on is installed. The associated add-on must be installed in order to use the data source. If there is an ( x ) icon for the Installed field, select the link to the add-on to open Splunkbase.
- Notes: A description of the source.
- Processing: The types of data processing that Splunk Asset and Risk Intelligence uses for the data source.
- (Optional) Edit the nickname. After you select a data source, Splunk Asset and Risk Intelligence populates the nickname automatically. You can modify it before adding the source.
- For real-time data sources, update the Sourcetype if it's not correct. After you select a data source, Splunk Asset and Risk Intelligence populates the sourcetype automatically. Real-time sources might add knowledge objects tied to this sourcetype, so make sure the sourcetype matches the one you're using.
- Select Add source.