Splunk SOAR
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk SOAR - Delete Almost unused Label?

curtisjester
Explorer
‎11-26-2024 10:18 AM

Hey there,

Let me start off by saying I can delete labels if there are no assets using them. The issue originates when an asset is "using" these labels but I cannot tell how.

 

For some reason we have "event" and "events" where I would like to delete the unused "event" label. But there's an asset using it. Looking under all configured assets I cannot find where the label "event" is used.

 

How can I accomplish my goal of finding the asset that is listed, when it's only a simple description:
1 Asset (asset name)

 

When looking at all my assets, only one matches. But inside this asset for the app Rest API, I can't find any mention or designation for labels whatsoever.

curtisjester_0-1732644961789.png

The asset

curtisjester_1-1732645024791.pngcurtisjester_2-1732645068016.png

 

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

marnall
Motivator
‎11-26-2024 10:52 AM

There must be a tab in Asset Configuration called "Ingest Settings", in the middle between Asset Settings and Approval Settings. In that area you can specify the label to apply to created objects from the app.

Since this is missing in your "splunk" asset, something is broken. You might need to delete the asset and re-create it to get it to let go of the label.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

marnall
Motivator
‎11-26-2024 10:52 AM

There must be a tab in Asset Configuration called "Ingest Settings", in the middle between Asset Settings and Approval Settings. In that area you can specify the label to apply to created objects from the app.

Since this is missing in your "splunk" asset, something is broken. You might need to delete the asset and re-create it to get it to let go of the label.

0 Karma
Reply
Solved! Jump to solution

curtisjester
Explorer
‎11-26-2024 11:12 AM

That worked; not sure why that was the case -- I will note you weren't correct in regards to "Ingest settings" but for some reason the asset defaulted to the Event label instead of "events" and this connection, once severed, updated my labels and removed Event

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...