Splunk® Enterprise Security

Use Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Modify asset and identity lookups in Splunk Enterprise Security

Make changes to the asset and identity lookups in Splunk Enterprise Security to add new assets or identities, or change existing values in the lookup tables. You can also disable or enable existing lookups.

Edit asset and identity lookups

Edit an asset or identity lookup in the Identity Management dashboard.

  1. In Enterprise Security, select Configure > Data Enrichment > Identity Management.
  2. Find the name of the asset or identity list you want to edit, and select Source. The list opens in an interactive editor.
  3. Use the scroll bars to view the columns and rows in the table. Double click a cell to add, change, or remove content.
  4. Click Save when you are finished.

Changes made to an asset or identity list will be reflected in search results after the next scheduled merge. See How Splunk Enterprise Security processes and merges asset and identity data.

Disable or enable asset and identity lookups

Disable or enable an asset or identity lookup table file. Disable a list to prevent the contents of that list from being included in the merge process. Enable a disabled list to allow the list to be merged at the next scheduled merge of the asset or identity data. Disabling a list does not delete the data from Splunk Enterprise Security.

  1. In Enterprise Security, select Configure > Data Enrichment > Identity Management.
  2. Locate the asset or identity lookup you want to disable.
  3. Click Disable or Enable.

Disable the demo asset and identity lookups

Disable the demo asset and identity lookups to prevent the demo data from being added to the primary asset and identity lookups used by Splunk Enterprise Security for asset and identity correlation. Splunk Enterprise Security enables the demo asset and identity lookups after installation or upgrade. After you disable the demo data lookups, saved searches update the primary asset and identity lookups and removes the data from the disabled lookups from the primary lookups.

  1. In Enterprise Security, select Configure > Data Enrichment > Identity Management.
  2. Locate the demo_assets and demo_identities lookups.
  3. Click Disable for each.
Last modified on 06 October, 2016
Asset and identity lookup header and field reference   Example methods of adding asset and identity data to Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0 Cloud only


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters