All Apps and Add-ons

unable to find a saved search asset_discovery

chrispolk
Explorer

Hi everyone,

I've been playing around with the Splunk Asset Discovery app. I think it will be of use to our organisation, but having some issues.

My environment looks like this, 3 separate systems:
2x Splunk indexers
1x Search head.

Each system has the asset discovery app install. Indexers are the ones actually running the nmap scripts.

On our search head I am getting these warnings. Warnings come up no matter what you are doing (even regular searches). It is very annoying:

  • [indexer1] Unable to find a saved search asset_discovery
  • [indexer2] Unable to find a saved search asset_discovery

The app is working correctly on the search head. Data/graphs/etc all functioning. It is just this warning message

Anyone have any ideas? or know of a way to just disable the warning?

0 Karma

yannK
Splunk Employee
Splunk Employee

Hi Chris

The root cause here is that in the app "asset_discovery" , the eventtype in this case is referencing a savedsearch. But in a distributed search setting, splunk doesn't replicate savedsearches.conf from the search-head to the peers.

The problem is that the app is not using a conventional definition for the eventtypes. that is not supported.

Workarounds :

  • install the app in the search-peers
  • change the bundle replication whitelist to add the savedsearches.conf ( will be more costly for all your apps / searches )
  • ask the author of the app to update his app to be compatible with distributed search.
  • wait for an enhancement in splunk to allow this.

chrispolk
Explorer

thanks for the response. I've got the app installed in the search peers. i'm thinking maybe i remove from the search peers (indexers). run the app on a heavy forwarder and have this push/tag events into the indexer cluster.

i've removed from the search head for the time being, so the annoying messages are gone.

whats weird is that everything is functioning correctly. the app works really well. it is just that yellow warning message.

0 Karma

MarioM
Motivator

in the savedsearches.conf there are :

# Base Search
[asset_discovery]
search = index=asset_discovery
is_visible = false

And in eventtypes.conf :

# eventtypes.conf

[ping_scan]
search = savedsearch=asset_discovery sourcetype=ping_scan "Host:" "Status:"

[port_scan]
search = savedsearch=asset_discovery sourcetype=port_scan "Host:" "Ports:" "Ignored State:"

Do you have those? And do you see config error when you start splunk from command line?

chrispolk
Explorer

I haven't tried only having the app on the search head. I'd prefer to have our indexers doing the heavy lifting (running scans).

nothing stands out on the search "index=_internal asset_discovery"

0 Karma

MarioM
Motivator

have dig into internal index (index=_internal asset_discovery)?
Have you try by only putting the app on the search head?

0 Karma

chrispolk
Explorer

the savedsearches.conf and eventtypes.conf are present and correct for all systems (search head and indexers).

I tested restarting splunk on command line and there was no config errors. ran btool as well.

Also checked permissions on the asset_discovery saved searches on the indexers, currently set to global and everyone has permissions to read results.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...