Splunk Enterprise Security

How to extract or display asset names in dashboards or search results? (Enterprise Security)

Builder

Hello,

I'm running Splunk 6 with Enterprise Security 2.4. I've populated the "assets" lookups table (assets.csv) to include several IP's along with their names and priorities. For example:

ip             nt_host      priority
10.10.10.10    SERVER1      high

I have dashboards that of course include IP addresses, etc. My question is, how do I add the asset name to my dashboard (search) to include the nt_host name?

What is confusing me is that "nthost" isn't an available field in search results related to 10.10.10.10. Otherwise it would be easy, I would just add "nthost" as a field in my underlying search in the dashboard panel.

As always, thanks for your help!

0 Karma
1 Solution

Splunk Employee
Splunk Employee

hi, so the catch here is that nt_host might not be extracted (or even available) in your raw data. To make it work, you need to fillnull or eval... there's a macro that does this for you, map_notable_fields.

View solution in original post

Splunk Employee
Splunk Employee

hi, so the catch here is that nt_host might not be extracted (or even available) in your raw data. To make it work, you need to fillnull or eval... there's a macro that does this for you, map_notable_fields.

View solution in original post