Splunk SOAR

Splunk SOAR - Delete Almost unused Label?

curtisjester
Explorer

Hey there,

Let me start off by saying I can delete labels if there are no assets using them. The issue originates when an asset is "using" these labels but I cannot tell how.

 

For some reason we have "event" and "events" where I would like to delete the unused "event" label. But there's an asset using it. Looking under all configured assets I cannot find where the label "event" is used.

 

How can I accomplish my goal of finding the asset that is listed, when it's only a simple description:
1 Asset (asset name)

 

When looking at all my assets, only one matches. But inside this asset for the app Rest API, I can't find any mention or designation for labels whatsoever.

curtisjester_0-1732644961789.png

The asset

curtisjester_1-1732645024791.pngcurtisjester_2-1732645068016.png

 

Labels (2)
0 Karma
1 Solution

marnall
Motivator

There must be a tab in Asset Configuration called "Ingest Settings", in the middle between Asset Settings and Approval Settings. In that area you can specify the label to apply to created objects from the app.

Since this is missing in your "splunk" asset, something is broken. You might need to delete the asset and re-create it to get it to let go of the label.

View solution in original post

0 Karma

marnall
Motivator

There must be a tab in Asset Configuration called "Ingest Settings", in the middle between Asset Settings and Approval Settings. In that area you can specify the label to apply to created objects from the app.

Since this is missing in your "splunk" asset, something is broken. You might need to delete the asset and re-create it to get it to let go of the label.

0 Karma

curtisjester
Explorer

That worked; not sure why that was the case -- I will note you weren't correct in regards to "Ingest settings" but for some reason the asset defaulted to the Event label instead of "events" and this connection, once severed, updated my labels and removed Event

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...