If you've installed the asset discovery app on a single Splunk server you'll just need to make sure that you've also installed nmap and that it's in an available path. If you look at the scripted inputs for the app (found here-ish: http://localhost:8000/en-US/manager/asset_discovery/data/inputs/script?search=nmap&count=25 ), you should ensure that the correct inputs are listed as "Enabled" for your platform. You can control the execution interval there as well if you click on the inputs. By default the script will attempt to scan it's own subnet. If you'd like to configure scan targets there's a section on the documentation page for the app called "Customizing scan targets" which explains the process. The ping and port scans, or whatever other scans you configure, will execute on the interval that you specify and the resulting data will go into an index called asset_discovery. A search in Splunk of something like this should show some data after execution: index=asset_discovery earliest=-2d
If you're not getting data then there are a couple of things you can check. Make sure that you can execute nmap from the command line as the same user that you have Splunk running under. On that note, nmap really doesn't work very well will without having elevated privileges. There are notes on these items on the documentation page for the app. That page is not a step-by-step guide, but it covers a few of these items. I hope that helps.
I followed the documentation and I get the following error:
"Encountered the following error while trying to save : In handler 'script': The command path "\opt\splunk\demo\etc\apps\assets\asset_discovery\bin\nmap.sh" is not allowed for scripted inputs"
Are you running Splunk on Windows or Linux? The command path you gave has backslashes like in Windows, but ends in '.sh' like in Linux. Also, the path itself is a little odd with 'demo' in it.
Thanks richgalloway. its my mistake that I gave the /opt/splunk....as path
Now I gave c:\program files.......\nmap.cmd -A -0 and I think it is accepting although I need to check whether the scanning is performed or not
But my concern is, there are 2 scripts 1 for ping and 1 for port identification, only port services are showing windows path whereas ping script is showing linux path.. confused!! 😞
Also can you tell what are scan points in asset discovery app?.
I see the ips of few devices from which the syslog is being forwarded.
The most important part of dashboard is "Asset Availability" which is saying "No results found".
There should be two instances of each AD search - one for Windows and one for Linux. Enable the ones for your OS and disable the others. Edit the scripts as needed so they scan the right IP address space(s).
Run the scripts from the command line so you can verify they are running correctly.
Is the nmap program installed on your Splunk server? - Yes
Does the user running Splunk have permission to run nmap? - I am the administrator and I have installed splunk and nmap on same machine.
Double-check the Asset Discovery scripts to make sure the right ones are enabled. Perhaps @mwilson_splunk can offer other suggestions.
To see the AD inputs, go to Settings->Data Inputs->Scripts and look for "asset_discovery" in the "App" column. Some of the input scripts are intended for Windows and others for Linux. Make sure the scripts appropriate for your environment are enabled ("Status" column).