topic Re: update asset list in Splunk Enterprise Security

update asset list

riqbal47010 — Sun, 17 Nov 2019 05:30:46 GMT

I have asset list associated with ES. Now I want to remove the assets from the list if they are not reporing more than 60 days.
I have inital query in my mind as below:"

 | inputlookup asset_lookup.csv | eval host=nt_host | join type=left host [ | metadata type=hosts ] | table host lastTime | eval time=strftime(lastTime, "%b %d %T %Y %Z")

I would like to know that is this is a a good practice..?
2nd below are my thoughts that why I wnat to remove those assets from asset list.
1- As most of the servers are vm servers. after some time once the project is comleted the vm admins either remove the vm or assign that vm to some other with different hostname and different IP address.

Re: update asset list

DavidHourani — Tue, 19 Nov 2019 08:46:08 GMT

Hi @riqbal47010,

In order to change your asset list for ES make sure you modify it at the source and not only by running some manual search time actions.

If you're building that list via a scheduled search, so make sure to modify that search and include the changes to suppress any hosts that haven't reported for 60 days.
More info on editing the base search here :
https://docs.splunk.com/Documentation/ES/5.3.1/Admin/Examplemethodsofaddingassetandidentitydata

Let me know if that helps.

Cheers,
David

Re: update asset list

riqbal47010 — Wed, 27 Nov 2019 09:54:55 GMT

manual works 🙂