Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security: What is the best way to add details to asset information?

splunker1981
Path Finder
‎02-18-2016 04:43 AM

Hello Splunkers,

Can someone provide some guidance on what is the best or recommended method of adding context to asset information? From what I can tell, it can be done via tags, asset lists (asset management), and automatic lookups. What I'm trying to do is add things like who owns a system, what location an IP falls within based on CDIR block, what type of business unit the IP or host falls under, etc. From what I gather, my options are between asset management and automatic lookups. Tags seem like they would be hard to maintain. I'd like to be able to search and report on this data within my searches and Splunk Enterprise Security, so I'm not sure if that changes anything. Any pointers would be greatly appreciated.

Cheers.

0 Karma
Reply

mdessus_splunk
Splunk Employee
Splunk Employee
‎05-08-2016 04:53 AM

Hello,

You're correct, both ways are available.
The asset feature from ES should provide you most of what you need (have a look here if needed: http://docs.splunk.com/Documentation/ES/4.1.0/User/AssetandIdentityCorrelation#Asset_lookup_details ), and you can setup him to be updated automatically from third party sources (like AD or your CMDB).

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎05-08-2016 07:41 AM

To add to the answer mdessus gave, you can also do a combination. For instance, if AD (see note 1) has most of the information but you have another system for storing location information, you could pull everything you need from AD and everything you need from the other system, then combine them (see note 2) to get your final asset list.

Note 1) If you use AD, there is a way to speed up your search for asset or identies by about an order of magnitude. An easy way, in fact. I believe Splunk is looking at adding the minor modification to the search in the official docs but it isn't there as of 6.4. If you go this route, after you get it implemented post a new question asking "How can I speed up my LDAP/AD asset list creation" or something like that.

Note 2) How to accomplish this is myriad, but I'd guess it's often have your secondary set of data in a lookup, do a search against your primary location and do the lookup to get your other info, then write the whole mess out to whatever you have set up for your asset list (csv, likely).

Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...