Splunk® App for PCI Compliance

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.

Modify asset and identity lookups in the Splunk App for PCI Compliance

Make changes to the asset and identity lookups in the Splunk App for PCI Compliance to add new assets or identities, or change existing values in the lookup tables. You can also disable or enable existing lookups.

Edit asset and identity lookups

Edit an asset or identity lookup in the Identity Management dashboard.

  1. In the Splunk App for PCI Compliance, select Configure > Data Enrichment > Identity Management.
  2. Find the name of the asset or identity list you want to edit, and click the link in the Source column. The list opens in an interactive editor.
  3. Use the scroll bars to view the columns and rows in the table. Double click a cell to add, change, or remove content.
  4. Click Save when you are finished.

Changes made to an asset or identity list will be reflected in search results after the next scheduled merge.

Disable or enable asset and identity lookups

Disable an input to prevent the contents of the corresponding list from being included in the merge process. Enable a disabled input to allow the associated list to be merged at the next scheduled merge of the asset or identity data. Disabling an input does not delete the data from the associated lookup from the Splunk App for PCI Compliance.

  1. In the Splunk App for PCI Compliance, select Configure > Data Enrichment > Identity Management.
  2. Locate the asset or identity lookup you want to disable.
  3. Click Disable or Enable.

Starting with version 3.5.0, asset and identity lookup inputs are disabled by default after installation. Local settings are respected after an upgrade.

Disable the demo asset and identity lookups

The demo asset and identity lookups are disabled by default. Disable the demo asset and identity lookups to prevent the demo data from being added to the primary asset and identity lookups used by the Splunk App for PCI Compliance for asset and identity correlation. After you disable the demo data lookups, saved searches update the primary asset and identity lookups and removes the data from the disabled lookups from the primary lookups.

  1. In the Splunk App for PCI Compliance, select Configure > Data Enrichment > Identity Management.
  2. Locate the demo_assets and demo_identities lookups.
  3. Click Disable for each.
Last modified on 23 September, 2019
Configure identities   Example methods of adding asset and identity data to the Splunk App for PCI Compliance

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters