Turn on or turn off discovery searches in Splunk Asset and Risk Intelligence
There are several discovery searches that run regularly to add, update, or remove data from Splunk Asset and Risk Intelligence. As an admin, you can turn on or turn off the searches listed in the following table:
| Type of discovery search | Description | Default run frequency |
|---|---|---|
| Process searches | By running process searches, Splunk Asset and Risk Intelligence can retrieve and track asset and identity data. | 5 minutes |
| Inventory count searches | By running inventory count searches, Splunk Asset and Risk Intelligence keeps a regular count of records within each inventory. If you turn off inventory count searches, you can't access trend data related to asset and identity counts. | 1 hour |
| Association searches | By running association searches, Splunk Asset and Risk Intelligence tracks the first and last time combinations of detected users, hosts, IP addresses, and MAC addresses. If you turn off association searches, you can't access data on associations between assets and identities, such as a host name and an IP address. | 15 minutes |
| Inventory record retention searches | Splunk Asset and Risk Intelligence automatically stores asset records in its inventories for an indefinite period of time, but you can modify the retention period for records. See Manage asset inventory retention in Splunk Asset and Risk Intelligence. | 1 day |
| Inventory field retention searches | By running inventory field retention searches, Splunk Asset and Risk Intelligence processes the retention rules for field values exceeding the defined retention period. Turn on these searches only for the specific inventories that have inventory field retention configured. | x |
| Risk searches | Splunk Asset and Risk Intelligence runs risk searches to process things related to risk, such as risk scoring and exception expiry. | x |
| Other | The other known data source discovery search is responsible for searching your environment for sourcetypes that match any of the known data sources. This helps filter the list of known data sources on the Data source management page to only the sources that have been discovered within your environment. | x |
Turn on or turn off a discovery search
To turn on or turn off a discovery search, complete the following steps:
- In Splunk Asset and Risk Intelligence, select Admin and then Configuration settings.
- Find the section for the search you want to turn on or turn off. For example, Inventory count searches.
- Select the toggle switch for the search you want to turn on or turn off. For example, IP addresses. If you want to turn on or turn off all of the searches, select Turn on all or Turn off all.
- (Optional) You can run an inventory count search outside of its run schedule by selecting Run now.