Filter discovery reports
You can filter discovery reports by particular fields or by a Search Processing Language (SPL) search. Then, you can save that filter and return to the same view at a later time. To create a report filter, complete the following steps:
- In Exposure Analytics, select Discovery from the main menu navigation bar, and then select the discovery report you want to view. For example, Asset discovery.
- Select Show filters.
- For only the asset discovery, use the drop-down list to select a filter type, such as Asset or IP address.
- Enter a name for your filter.
- Using the drop-down list, select the time frame you want to search within.
- Choose how you want to use and share the filter by selecting the appropriate Sharing check boxes.
- Select the App check box to make the filter app-specific and available for other users to use for discovery.
- If you turn on App sharing, you can also make the filter a risk scoring filter by selecting the Risk check box. See Add a risk scoring filter.
- If you want to filter by fields, select Field filtering and then configure your filter using the drop-down lists. Select the add icon (
) to add an additional field.
- If you want to filter by a search, select SPL search and then enter the SPL into the Search box.
Note: You can filter by fields or by SPL search, but not by both. If you enter a search to filter by, then switching to field filtering clears any SPL data you've input.
- Select Search to see the results.
- Select Save as new filter.
- (Optional) To erase your configured filter, select Reset filter.
-
(Optional) If you're an admin, you can add a response based on the discovery filter by selecting Add response. See Add and manage responses in the Administer Splunk Asset and Risk Intelligence manual.Note: Make sure that Sharing is set to App to add a response based on a discovery filter.
After you save a filter, you can return to that view by selecting it from the Filter drop-down list.