topic Re: unable to find a saved search asset_discovery in All Apps and Add-ons

unable to find a saved search asset_discovery

chrispolk — Tue, 10 Apr 2012 14:48:30 GMT

Hi everyone,

I've been playing around with the Splunk Asset Discovery app. I think it will be of use to our organisation, but having some issues.

My environment looks like this, 3 separate systems:
2x Splunk indexers
1x Search head.

Each system has the asset discovery app install. Indexers are the ones actually running the nmap scripts.

On our search head I am getting these warnings. Warnings come up no matter what you are doing (even regular searches). It is very annoying:

[indexer1] Unable to find a saved search asset_discovery
[indexer2] Unable to find a saved search asset_discovery

The app is working correctly on the search head. Data/graphs/etc all functioning. It is just this warning message

Anyone have any ideas? or know of a way to just disable the warning?

Re: unable to find a saved search asset_discovery

MarioM — Tue, 10 Apr 2012 15:09:16 GMT

in the savedsearches.conf there are :

# Base Search
[asset_discovery]
search = index=asset_discovery
is_visible = false

And in eventtypes.conf :

# eventtypes.conf

[ping_scan]
search = savedsearch=asset_discovery sourcetype=ping_scan "Host:" "Status:"

[port_scan]
search = savedsearch=asset_discovery sourcetype=port_scan "Host:" "Ports:" "Ignored State:"

Do you have those? And do you see config error when you start splunk from command line?

Re: unable to find a saved search asset_discovery

chrispolk — Tue, 10 Apr 2012 15:17:10 GMT

the savedsearches.conf and eventtypes.conf are present and correct for all systems (search head and indexers).

I tested restarting splunk on command line and there was no config errors. ran btool as well.

Also checked permissions on the asset_discovery saved searches on the indexers, currently set to global and everyone has permissions to read results.

Re: unable to find a saved search asset_discovery

MarioM — Mon, 28 Sep 2020 11:39:22 GMT

have dig into internal index (index=_internal asset_discovery)?
Have you try by only putting the app on the search head?

Re: unable to find a saved search asset_discovery

chrispolk — Mon, 28 Sep 2020 11:39:43 GMT

I haven't tried only having the app on the search head. I'd prefer to have our indexers doing the heavy lifting (running scans).

nothing stands out on the search "index=_internal asset_discovery"

Re: unable to find a saved search asset_discovery

yannK — Thu, 12 Apr 2012 00:06:03 GMT

Hi Chris

The root cause here is that in the app "asset_discovery" , the eventtype in this case is referencing a savedsearch. But in a distributed search setting, splunk doesn't replicate savedsearches.conf from the search-head to the peers.

The problem is that the app is not using a conventional definition for the eventtypes. that is not supported.

Workarounds :

install the app in the search-peers
change the bundle replication whitelist to add the savedsearches.conf ( will be more costly for all your apps / searches )
ask the author of the app to update his app to be compatible with distributed search.
wait for an enhancement in splunk to allow this.

Re: unable to find a saved search asset_discovery

chrispolk — Thu, 12 Apr 2012 00:36:54 GMT

thanks for the response. I've got the app installed in the search peers. i'm thinking maybe i remove from the search peers (indexers). run the app on a heavy forwarder and have this push/tag events into the indexer cluster.

i've removed from the search head for the time being, so the annoying messages are gone.

whats weird is that everything is functioning correctly. the app works really well. it is just that yellow warning message.