The asset input uses the sourcetype otbase:assets. As the source, "OTbase:" followed by the hostname or the IP address of the host where OTbase OTbase Inventory is installed is used.
The assets input generates one event per device per configuration change, with the time of the configuration change being used as the time that the event happened. For this reason it is important that you select "All time" for general search queries.
Most of the data fields correspond to the Portable Inventory Data format, with following exceptions:
- module information for automation systems is suppressed
- vulnerability data is suppressed (it is represented in its own sourcetype, "otbase:vulns")
- context information is represented in other fields, such as "location" and "site".
Some fields, like "ip", "mac", "vlan" are duplicated from their counterparts in connections{} for easier accessibility from Splunk standard applications such as Enterprise Security.
Comments
0 comments
Please sign in to leave a comment.