Solved: How to extract or display asset names in dashboard...

echojacques · ‎02-21-2014

Hello,

I'm running Splunk 6 with Enterprise Security 2.4. I've populated the "assets" lookups table (assets.csv) to include several IP's along with their names and priorities. For example:

ip             nt_host      priority
10.10.10.10    SERVER1      high

I have dashboards that of course include IP addresses, etc. My question is, how do I add the asset name to my dashboard (search) to include the nt_host name?

What is confusing me is that "nt_host" isn't an available field in search results related to 10.10.10.10. Otherwise it would be easy, I would just add "nt_host" as a field in my underlying search in the dashboard panel.

As always, thanks for your help!

jcoates_splunk · ‎02-22-2014

hi, so the catch here is that nt_host might not be extracted (or even available) in your raw data. To make it work, you need to fillnull or eval... there's a macro that does this for you, map_notable_fields.

View solution in original post

jcoates_splunk · ‎02-22-2014

hi, so the catch here is that nt_host might not be extracted (or even available) in your raw data. To make it work, you need to fillnull or eval... there's a macro that does this for you, map_notable_fields.

How to extract or display asset names in dashboards or search results? (Enterprise Security)

There's No Place Like Chrome and the Splunk Platform

The Great Resilience Quest: 5th Leaderboard Update

Devesh Logendran, Splunk, and the Singapore Cyber Conquest