Thanks For Downloading!
Review the documentation below and follow any custom installation steps. If no install steps are listed, most Splunk Apps and Add-ons can be installed as follows:
Unix/Linux: Decompress the downloaded file using a tool like
The asset discovery application provides ping scans, port scans, operating system and port fingerprinting through the use of nmap in order to gain visibility into asset availability, port statistics, and even rogue device detection. The app can be deployed on a per-subnet basis in order to provide distributed scanning capabilities.
Splunk for Asset Discovery
Developed by: Mike Wilson (mwilson at splunk.com)
New Windows Support (please read): New in this version is a Windows scripted input, nmap.cmd (which calls nmap.vbs). You must create the file bin\nmap.path which contains the full path to your nmap.exe (i.e. C:\Program Files\Nmap\nmap.exe). There is an example_nmap.path in the bin directory. If you do not do this, the input will fail. The Windows scripts are lightly tested, please report bugs.
Optional Dependency: If you have the Google Maps app installed (version 1.1 or better), a mapping view will be available for use. There is a lookup file which you should populate in order to geolocate internal IP addresses.
This app utilizes its own "asset_discovery" index. All searches have been created to use eventtypes which reference index=asset_discovery which can easily be overriden depending on your needs.
This app utilizes the nmap command, but does not provide it. It assumes that the command is available and in the path. Additionally, the nmap binary works best if it is run as root or setuid root. Running as a standard user will most likely yield unexpected results.
This app utilizes a scripted input, nmap.sh or nmap.cmd, to execute nmap scans of (hopefully) any type. The included scripted input will automatically include the necessary argument for "Grepable" output format as defined by nmap.org.
The scripted input will attempt to find the current host's IP address and, if no other target is given, use that IP to perform a scan of the local subnet. In this way, the app can be deployed to remote forwarders to regularly scan the forwarder's subnet, without having to configure the target for each individual forwarder. This behavior can be overriden by passing a "-t target_spec" argument to the script. Lastly, the nmap command (i.e. nmap.exe) works best when run as root or setuid root.
With no arguments given, the scripted input will perform a ping scan of the local subnet of the current system:
You may pass standard nmap arguments through in order to perform a port scan. An input of "nmap.sh -A -O" will yield:
In order to set a target, use the "-t" option (not a standard nmap option). "nmap.cmd -t 10.159.1.100-150" will yield:
Customizing scan targets
In the event that you'd prefer to have a small number of scan points which will scan multiple networks you'll need to create some custom data inputs. There are 2 types of inputs for this app: ping scans and port scans. Knowing that, from your Splunk instance (i.e. the scan point) head to Manager -> Data Inputs -> Scripts and search for "nmap". There should be 4 results, a ping scan and port scan for *nix, and the same for Windows. Find the appropriate input and "Clone" it. Enter the proper command for your situation (e.g. For a port scan of 2 subnets, something like: /opt/splunk/demo/etc/apps/asset_discovery/bin/nmap.sh -A -O -t 10.159.26.0/24 -t 10.59.27.0/24) and leave the remaining fields alone, click "Save".
You can have a single scan which has many targets, per the previous example, or you may create new inputs for each in the event that you'd like to stagger their execution, etc. You should be able to pass in any standard nmap arguments. A "-oG" option will be automatically inserted in order to force the "Grepable" format. Targets should be prefixed with a "-t" switch per the example.
The nmap.sh or nmap.cmd scripted input can be run directly from the command line for testing.
Port Signature chart will be empty when drilling down from an "OS Signature" chart to the
Nmap and its open source goodness: nmap.org
This app utilizes the awesome work of SPP (www.spp.at) and their Google Maps Splunk app for mapping, and of course Google for making that possible
Versions and Release Notes
Version 20121101.0 (current version - updated Nov 01, 2012)
HI, I would like to scan few numbers of subnets; how do I pass that as textfile input to this scan? I know nmap accepts subnets from txt file using -iL option.
where do I configure this in the APP?
reviewed 11 Jan, 00:22
accept rate: 0%
Hello First of all, I want to thank you for very useful app.
Secondly, I would like to pull the mac address information from the scans. It will be very useful to have that information as part of the real time data.
If I dump my nmap scan data to xml I can see MAC address information, but I fail to find it using Splunk. Is it possible to get such data ? If so, how ?
I'm new to Splunk and don't know if is possible to import nmap scans reports or not. If it is, how ? Otherwise, it may be a nice feature to add.
reviewed 31 Aug '12, 11:29
accept rate: 0%
Hello First of all, I want to thank you for very useful app. Secondly, I would like to pull the mac address information from the scans. It will be very useful to have that information as part of the real time data.
If I dump my nmap scan data to xml I can see MAC information, but I fail to find it using Splunk. Is it possible to get such data ? If so, how ?
I'm new to Splunk and don't know if is possible to import scans reports or not. If it is, how ? Otherwise, it may be a nice feature to add.
reviewed 31 Aug '12, 11:27
accept rate: 0%
Fantastic app thanks alot it works ok on Windows but I might see if it is better on a linux box.
On my Windows 2008 R2 server with Nmap 6.01 When a scan is running over a /24 subnet the splunkd service chuggs and I cannot get to the splunk web page. No problem now I have the scan scheduled to run at 2am.
Can you compare results from previous scans to see if a new port is enabled on a server/ipaddress?
How do you use this app can you please elaborate on the documentation on how to create custom scans or where to add those lines mentioned above ????????
reviewed 08 Jun '12, 08:21
accept rate: 0%
hello how do you configure this app to run custom scans ????
Can you please elaborate on your documentation
reviewed 08 Jun '12, 08:20
accept rate: 0%
A problem was raised, in distributed environment, for version = 20110704.0
reviewed 11 Apr '12, 17:07
accept rate: 31%
ok, a tad confused about this app. there is no place in the App gui to add options or scan targets. directions on how to modify the App (xml, etc) to allow this would be useful. we have to resort to manually editing the local/inputs.conf file ??
also, i see some have posted about scanning multiple targets, the nmap.sh has a section for parsing out multiple -t args, so -t x.x.x.128/25 y.y.y.0/23 z.z.z.0/22 should work (caveat below).
here's some odd stuff i have noticed with Nmap 5.51 (linux): 1. it's best to use --osscan-guess with the -O option 2. passing multiple target subnets to nmap for scanning returns odd results vs. only passing a single target subnet. i think this is a bug in Nmap, but you should test this before lumping multiple targets into your conf stanza's, etc. try running "nmap -sS -O --osscan-guess -oA file subnet subnet" vs same command with just a single subnet, do the results come out the same?
reviewed 14 Mar '12, 11:40
accept rate: 5%
Great app, I'm having problems scanning networks class b...
can someone give an example to the input line needed to scan class b of let say 10.2.0.0/16
I tried :
nmap.cmd -O -v -sT -t 10.2.0.0/16
and got an error in splunkd.log:
WARN iniFile ... Canot parse into key-value pair ...
The only scan that worked for me is :
nmap.cmd -O -v -sT -t 10.2.0.1-254 and so on .but I hope there is a better way to add class b...
Found a work around to the class B scanning by writing nmap.cmd -O -v -sT 10.2.0.0/16 -t 127.0.0.1 * (but I guess it is due to my poor knowledge in vb or python...) I hope there will be a fix to in the the app itself...
Love the app, a couple of issues though while running it on our Linux indexer:
- OS signature is not being returned for any host.
- When I go to the Real Time Overview, the following error shows up on top: "Unable to get viewstate information; formatting may not be correct" and nothing ever shows up on that page.
reviewed 30 Dec '11, 10:26
accept rate: 16%