Install the Splunk Add-on for Asset and Risk Intelligence

Use the Splunk Universal Forwarder to deploy the Splunk Add-on for Asset and Risk Intelligence. To install the add-on, complete the following steps:

  1. Make sure your indexers include the ari_ta index. If the ari_ta index doesn't exist, create one. See Create indexes for Splunk Asset and Risk Intelligence in the Install and Upgrade Splunk Asset and Risk Intelligence manual.
  2. Deploy the appropriate apps for the Splunk Add-on for Asset and Risk Intelligence to your indexers without any local configurations. Deployment apps are available for Mac, Windows, and Linux operating systems. Choose from the following links to download the appropriate app from Splunkbase:
  3. Deploy the appropriate apps for the Splunk Add-on for Asset and Risk Intelligence to your forwarders using a local inputs configuration. Deployment apps are available for Mac, Windows, and Linux operating systems.
    1. Place the apps in the deployment-apps folder on your deployment server.
    2. Create a local directory in each app and place a local inputs.conf file in each one. See Local inputs.conf files.
    3. For each type of operating system you deploy to, deploy the apps using an appropriate serverclass. For example, you might create a serverclass to deploy to all Windows forwarders, and then a serverclass to deploy to all Linux forwarders.
  4. (Optional) Validate the Splunk Add-on for Asset and Risk Intelligence deployment. Check for data by entering the following search: 
    index=ari_ta

Local inputs.conf files

Use the following local inputs.conf files and place them in the local directory for each app.

Windows

##############################################################################
## Monitoring of Windows InstalledPrograms file
[script://.\bin\ari_get_installed_programs.bat]
disabled = false

##############################################################################
## Monitoring of Windows System Info file
[script://.\bin\ari_get_system_info.bat]
disabled = false

##############################################################################
## Monitoring of User details
[script://.\bin\ari_get_user_details.bat]
disabled = false

##############################################################################
## Monitoring of Bitlocker Info file
[script://.\bin\ari_get_bitlocker_info.bat]
disabled = false

##############################################################################
## Monitoring of Windows Network Info file
[script://.\bin\ari_get_network_info.bat]
disabled = false

Linux

##############################################################################
## Monitoring of Linux System Info
[script://./bin/ari_linux_get_system_info.sh]
disabled = false

##############################################################################
## Monitoring of Network Info
[script://./bin/ari_linux_get_network_info.sh]
disabled = false

##############################################################################
## Monitoring of User details
[script://./bin/ari_linux_get_user_details.sh]
disabled = false

Mac

##############################################################################
## Monitoring of Mac OSx InstalledPrograms
[script://./bin/ari_osx_get_app_list.sh]
disabled = false

##############################################################################
## Monitoring of Mac OSx System Info
[script://./bin/ari_osx_get_system_info.sh]
disabled = false

##############################################################################
## Monitoring of Network Info
[script://./bin/ari_osx_get_network_info.sh]
disabled = false

##############################################################################
## Monitoring of User details
[script://./bin/ari_osx_get_user_details.sh]
disabled = false

Uninstall the Splunk Add-on for Asset and Risk Intelligence

To uninstall the Splunk Add-on for Asset and Risk Intelligence, use forwarder management to remove the deployment apps from your deployment server. See Uninstall an app in the Splunk Enterprise Updating Splunk Enterprise Instances manual.