Splunk Enterprise Security

How to extract or display asset names in dashboards or search results? (Enterprise Security)

echojacques
Builder

Hello,

I'm running Splunk 6 with Enterprise Security 2.4. I've populated the "assets" lookups table (assets.csv) to include several IP's along with their names and priorities. For example:

ip             nt_host      priority
10.10.10.10    SERVER1      high

I have dashboards that of course include IP addresses, etc. My question is, how do I add the asset name to my dashboard (search) to include the nt_host name?

What is confusing me is that "nt_host" isn't an available field in search results related to 10.10.10.10. Otherwise it would be easy, I would just add "nt_host" as a field in my underlying search in the dashboard panel.

As always, thanks for your help!

0 Karma
1 Solution

jcoates_splunk
Splunk Employee
Splunk Employee

hi, so the catch here is that nt_host might not be extracted (or even available) in your raw data. To make it work, you need to fillnull or eval... there's a macro that does this for you, map_notable_fields.

View solution in original post

jcoates_splunk
Splunk Employee
Splunk Employee

hi, so the catch here is that nt_host might not be extracted (or even available) in your raw data. To make it work, you need to fillnull or eval... there's a macro that does this for you, map_notable_fields.

*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>