Is the nmap program installed on your Splunk server? Does the user running Splunk have permission to run nmap?
Is the nmap program installed on your Splunk server? - Yes
Does the user running Splunk have permission to run nmap? - I am the administrator and I have installed splunk and nmap on same machine.
Double-check the Asset Discovery scripts to make sure the right ones are enabled. Perhaps @mwilson_splunk can offer other suggestions.
Thats where I am lagging a bit. I am a newbie to Splunk and not sure what to check and where to check for scripts?. Can you please guide me on this?
To see the AD inputs, go to Settings->Data Inputs->Scripts and look for "asset_discovery" in the "App" column. Some of the input scripts are intended for Windows and others for Linux. Make sure the scripts appropriate for your environment are enabled ("Status" column).
Source name override is always showing nmap by default? why is it so??
I messed up with some settings, but someone please help me
If you've installed the asset discovery app on a single Splunk server you'll just need to make sure that you've also installed nmap and that it's in an available path. If you look at the scripted inputs for the app (found here-ish: http://localhost:8000/en-US/manager/asset_discovery/data/inputs/script?search=nmap&count=25 ), you should ensure that the correct inputs are listed as "Enabled" for your platform. You can control the execution interval there as well if you click on the inputs. By default the script will attempt to scan it's own subnet. If you'd like to configure scan targets there's a section on the documentation page for the app called "Customizing scan targets" which explains the process. The ping and port scans, or whatever other scans you configure, will execute on the interval that you specify and the resulting data will go into an index called assetdiscovery. A search in Splunk of something like this should show some data after execution: index=assetdiscovery earliest=-2d
If you're not getting data then there are a couple of things you can check. Make sure that you can execute nmap from the command line as the same user that you have Splunk running under. On that note, nmap really doesn't work very well will without having elevated privileges. There are notes on these items on the documentation page for the app. That page is not a step-by-step guide, but it covers a few of these items. I hope that helps.
I followed the documentation and I get the following error:
"Encountered the following error while trying to save : In handler 'script': The command path "\opt\splunk\demo\etc\apps\assets\asset_discovery\bin\nmap.sh" is not allowed for scripted inputs"
Are you running Splunk on Windows or Linux? The command path you gave has backslashes like in Windows, but ends in '.sh' like in Linux. Also, the path itself is a little odd with 'demo' in it.