Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security: How to associate business software to an asset?

edhealea
Path Finder
‎06-28-2019 09:36 AM

I have a .csv which contains a list of business applications, the app owner, the server(hostname or same as nt_host) the app is installed on and the software's risk rating.
What I need to do is take the application(s) and the app owner(s) and associate them to the nt_host in our assets.
I currently have the file installed as a lookup but not sure how to proceed.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎06-29-2019 07:21 PM

The regular Splunk tutorial may or may not have an example (I don't know for sure), but here's one that you can follow to get a reasonable example of how to do these things.

A close reading of the docs for lookup may also suggest at least things to try.

One thing you might need to do is make sure you have a field to join them up on - nt_host is fine, but it would have to be on both sides (not necessarily with the same name - just the contents.)

... | lookup TheNameOfMyLookup FieldInLookup1 AS FieldNameInEvent1 OUTPUT appowner AS MyNewAppOwnerName application AS MyNewApplicationName

It's just a sample, but hopefully this gets you started.

Happy Splunking,
Rich

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...