Splunk Enterprise Security

Splunk Enterprise Security: How to associate business software to an asset?

Path Finder

I have a .csv which contains a list of business applications, the app owner, the server(hostname or same as nt_host) the app is installed on and the software's risk rating.
What I need to do is take the application(s) and the app owner(s) and associate them to the nt_host in our assets.
I currently have the file installed as a lookup but not sure how to proceed.

0 Karma


The regular Splunk tutorial may or may not have an example (I don't know for sure), but here's one that you can follow to get a reasonable example of how to do these things.

A close reading of the docs for lookup may also suggest at least things to try.

One thing you might need to do is make sure you have a field to join them up on - nt_host is fine, but it would have to be on both sides (not necessarily with the same name - just the contents.)

... | lookup TheNameOfMyLookup FieldInLookup1 AS FieldNameInEvent1 OUTPUT appowner AS MyNewAppOwnerName application AS MyNewApplicationName

It's just a sample, but hopefully this gets you started.

Happy Splunking,

0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...