Powered by

# Update Splunk Index

The index definition is set by a search macro.

Macro Default Description
sa_rapid7_index index=rapid7 Index definition for Rapid7 asset index.

Update the index definition to the correct index that contains the rapid7:insightvm:asset sourcetype.

# How to update

  1. (In Splunk Enterprise Security) Navigate to Configure > General > General Settings.
  2. From the "App" dropdown select SA-Rapid7Assets.
  3. Update the SA-Rapid7Assets Index definition and click "Save."
  1. Navigate to Settings > Advanced Search > Search Macros.
  2. From the "App" dropdown choose SA-Rapid7Assets.
  3. Set the "Owner" dropdown to any.
  4. Click the macro named sa_rapid7_index to update the index definition.