Modify asset and identity lookups in Splunk Enterprise Security
Make changes to the asset and identity lookups in Splunk Enterprise Security to add new assets or identities, or change existing values in the lookup tables. You can also disable or enable existing lookups.
Edit asset and identity lookups
Edit an asset or identity lookup in the Identity Management dashboard.
- In Enterprise Security, select Configure > Data Enrichment > Identity Management.
- Find the name of the asset or identity list you want to edit, and select Source. The list opens in an interactive editor.
- Use the scroll bars to view the columns and rows in the table. Double click a cell to add, change, or remove content.
- Click Save when you are finished.
Changes made to an asset or identity list will be reflected in search results after the next scheduled merge. See How Splunk Enterprise Security processes and merges asset and identity data.
Disable or enable asset and identity lookups
Disable or enable an asset or identity lookup table file. Disable a list to prevent the contents of that list from being included in the merge process. Enable a disabled list to allow the list to be merged at the next scheduled merge of the asset or identity data. Disabling a list does not delete the data from Splunk Enterprise Security.
- In Enterprise Security, select Configure > Data Enrichment > Identity Management.
- Locate the asset or identity lookup you want to disable.
- Click Disable or Enable.
Disable the demo asset and identity lookups
Disable the demo asset and identity lookups to prevent the demo data from being added to the primary asset and identity lookups used by Splunk Enterprise Security for asset and identity correlation. Splunk Enterprise Security enables the demo asset and identity lookups after installation or upgrade. After you disable the demo data lookups, saved searches update the primary asset and identity lookups and removes the data from the disabled lookups from the primary lookups.
- In Enterprise Security, select Configure > Data Enrichment > Identity Management.
- Locate the demo_assets and demo_identities lookups.
- Click Disable for each.
Asset and identity lookup header and field reference | Example methods of adding asset and identity data to Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0 Cloud only
Feedback submitted, thanks!