Splunk SOAR
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk SOAR - Delete Almost unused Label?

curtisjester
Explorer
3 weeks ago

Hey there,

Let me start off by saying I can delete labels if there are no assets using them. The issue originates when an asset is "using" these labels but I cannot tell how.

 

For some reason we have "event" and "events" where I would like to delete the unused "event" label. But there's an asset using it. Looking under all configured assets I cannot find where the label "event" is used.

 

How can I accomplish my goal of finding the asset that is listed, when it's only a simple description:
1 Asset (asset name)

 

When looking at all my assets, only one matches. But inside this asset for the app Rest API, I can't find any mention or designation for labels whatsoever.

curtisjester_0-1732644961789.png

The asset

curtisjester_1-1732645024791.pngcurtisjester_2-1732645068016.png

 

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

marnall
Motivator
3 weeks ago

There must be a tab in Asset Configuration called "Ingest Settings", in the middle between Asset Settings and Approval Settings. In that area you can specify the label to apply to created objects from the app.

Since this is missing in your "splunk" asset, something is broken. You might need to delete the asset and re-create it to get it to let go of the label.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

marnall
Motivator
3 weeks ago

There must be a tab in Asset Configuration called "Ingest Settings", in the middle between Asset Settings and Approval Settings. In that area you can specify the label to apply to created objects from the app.

Since this is missing in your "splunk" asset, something is broken. You might need to delete the asset and re-create it to get it to let go of the label.

0 Karma
Reply
Solved! Jump to solution

curtisjester
Explorer
3 weeks ago

That worked; not sure why that was the case -- I will note you weren't correct in regards to "Ingest settings" but for some reason the asset defaulted to the Event label instead of "events" and this connection, once severed, updated my labels and removed Event

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...