I've been playing around with the Splunk Asset Discovery app. I think it will be of use to our organisation, but having some issues.
My environment looks like this, 3 separate systems:
2x Splunk indexers
1x Search head.
Each system has the asset discovery app install. Indexers are the ones actually running the nmap scripts.
On our search head I am getting these warnings. Warnings come up no matter what you are doing (even regular searches). It is very annoying:
The app is working correctly on the search head. Data/graphs/etc all functioning. It is just this warning message
Anyone have any ideas? or know of a way to just disable the warning?
The root cause here is that in the app "asset_discovery" , the eventtype in this case is referencing a savedsearch. But in a distributed search setting, splunk doesn't replicate savedsearches.conf from the search-head to the peers.
The problem is that the app is not using a conventional definition for the eventtypes. that is not supported.
thanks for the response. I've got the app installed in the search peers. i'm thinking maybe i remove from the search peers (indexers). run the app on a heavy forwarder and have this push/tag events into the indexer cluster.
i've removed from the search head for the time being, so the annoying messages are gone.
whats weird is that everything is functioning correctly. the app works really well. it is just that yellow warning message.
in the savedsearches.conf there are :
# Base Search [asset_discovery] search = index=asset_discovery is_visible = false
And in eventtypes.conf :
# eventtypes.conf [ping_scan] search = savedsearch=asset_discovery sourcetype=ping_scan "Host:" "Status:" [port_scan] search = savedsearch=asset_discovery sourcetype=port_scan "Host:" "Ports:" "Ignored State:"
Do you have those? And do you see config error when you start splunk from command line?
I haven't tried only having the app on the search head. I'd prefer to have our indexers doing the heavy lifting (running scans).
nothing stands out on the search "index=_internal asset_discovery"
have dig into internal index (index=_internal asset_discovery)?
Have you try by only putting the app on the search head?
the savedsearches.conf and eventtypes.conf are present and correct for all systems (search head and indexers).
I tested restarting splunk on command line and there was no config errors. ran btool as well.
Also checked permissions on the asset_discovery saved searches on the indexers, currently set to global and everyone has permissions to read results.