All Apps and Add-ons

Splunk for Asset Discovery: How do I get data to show in this app?

mi5cyberninja
New Member

Hi MW,

There is no step by step documentation for newbies on how to use this app. Please tell me how to kickstart this app?

it's not showing any data as of now

Thanks and regards
Cybermi5ninja

0 Karma

mw
Splunk Employee
Splunk Employee

If you've installed the asset discovery app on a single Splunk server you'll just need to make sure that you've also installed nmap and that it's in an available path. If you look at the scripted inputs for the app (found here-ish: http://localhost:8000/en-US/manager/asset_discovery/data/inputs/script?search=nmap&count=25 ), you should ensure that the correct inputs are listed as "Enabled" for your platform. You can control the execution interval there as well if you click on the inputs. By default the script will attempt to scan it's own subnet. If you'd like to configure scan targets there's a section on the documentation page for the app called "Customizing scan targets" which explains the process. The ping and port scans, or whatever other scans you configure, will execute on the interval that you specify and the resulting data will go into an index called asset_discovery. A search in Splunk of something like this should show some data after execution: index=asset_discovery earliest=-2d

If you're not getting data then there are a couple of things you can check. Make sure that you can execute nmap from the command line as the same user that you have Splunk running under. On that note, nmap really doesn't work very well will without having elevated privileges. There are notes on these items on the documentation page for the app. That page is not a step-by-step guide, but it covers a few of these items. I hope that helps.

Waltersr24
New Member

what would be an available path?

0 Karma

mi5cyberninja
New Member

I followed the documentation and I get the following error:

"Encountered the following error while trying to save : In handler 'script': The command path "\opt\splunk\demo\etc\apps\assets\asset_discovery\bin\nmap.sh" is not allowed for scripted inputs"

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Are you running Splunk on Windows or Linux? The command path you gave has backslashes like in Windows, but ends in '.sh' like in Linux. Also, the path itself is a little odd with 'demo' in it.

---
If this reply helps you, Karma would be appreciated.
0 Karma

mi5cyberninja
New Member

Thanks richgalloway. its my mistake that I gave the /opt/splunk....as path

Now I gave c:\program files.......\nmap.cmd -A -0 and I think it is accepting although I need to check whether the scanning is performed or not

But my concern is, there are 2 scripts 1 for ping and 1 for port identification, only port services are showing windows path whereas ping script is showing linux path.. confused!! 😞

0 Karma

mi5cyberninja
New Member

Also can you tell what are scan points in asset discovery app?.

I see the ips of few devices from which the syslog is being forwarded.

The most important part of dashboard is "Asset Availability" which is saying "No results found".

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There should be two instances of each AD search - one for Windows and one for Linux. Enable the ones for your OS and disable the others. Edit the scripts as needed so they scan the right IP address space(s).
Run the scripts from the command line so you can verify they are running correctly.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Is the nmap program installed on your Splunk server? Does the user running Splunk have permission to run nmap?

---
If this reply helps you, Karma would be appreciated.
0 Karma

mi5cyberninja
New Member

Source name override is always showing nmap by default? why is it so??

I messed up with some settings, but someone please help me

0 Karma

mi5cyberninja
New Member

Is the nmap program installed on your Splunk server? - Yes

Does the user running Splunk have permission to run nmap? - I am the administrator and I have installed splunk and nmap on same machine.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Double-check the Asset Discovery scripts to make sure the right ones are enabled. Perhaps @mwilson_splunk can offer other suggestions.

---
If this reply helps you, Karma would be appreciated.
0 Karma

mi5cyberninja
New Member

Thats where I am lagging a bit. I am a newbie to Splunk and not sure what to check and where to check for scripts?. Can you please guide me on this?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

To see the AD inputs, go to Settings->Data Inputs->Scripts and look for "asset_discovery" in the "App" column. Some of the input scripts are intended for Windows and others for Linux. Make sure the scripts appropriate for your environment are enabled ("Status" column).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...