Splunk® Enterprise Security

Use Splunk Enterprise Security

Splunk Enterprise Security version 4.6.x is available only to Splunk Cloud subscribers.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Asset and identity lookup header and field reference

To add asset and identity data to Splunk Enterprise Security, format the lookup files with the expected headers and fields. See Add asset and identity data to Splunk Enterprise Security for the full list of steps.

Asset lookup header

ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av

Asset lookup fields

Populate the following fields in an asset lookup.

Note: To add multi-homed hosts or devices to the asset list, add each IP address to the ip field for the host, pipe-delimited. Multi-homed support is limited, and having multiple hosts with the same IP address on different network segments can cause conflicts in the merge process.

Field Data type Description Example values
ip pipe-delimited numbers A pipe-delimited list of single IP address or CIDR IP ranges. An asset is required to have an entry in the ip, mac, nt_host, or dns fields. Do not use pipe-delimiting for more than one of these fields per asset. 2.0.0.0/8|1.2.3.4|192.168.15.9-192.169.15.27|5.6.7.8|10.11.12.13
mac pipe-delimited strings A pipe-delimited list of MAC address. An asset is required to have an entry in the ip, mac, nt_host, or dns fields. Do not use pipe-delimiting for more than one of these fields per asset. 00:25:bc:42:f4:60|00:50:ef:84:f1:21|00:50:ef:84:f1:20
nt_host pipe-delimited strings A pipe-delimited list of Windows machine names. An asset is required to have an entry in the ip, mac, nt_host, or dns fields. Do not use pipe-delimiting for more than one of these fields per asset. ACME-0005|SSPROCKETS-0102|COSWCOGS-013
dns pipe-delimited strings A pipe-delimited list of DNS names. An asset is required to have an entry in the ip, mac, nt_host, or dns fields. Do not use pipe-delimiting for more than one of these fields per asset. acme-0005.corp1.acmetech.org|SSPROCKETS-0102.spsp.com|COSWCOGS-013.cwcogs.com
owner string The user or department associated with the device f.prefect@acmetech.org, DevOps, Bill
priority string The priority assigned to the device for calculating the Urgency field for notable events. An "unknown" priority reduces the assigned Urgency by default. For more information, see Notable Event Urgency assignment. unknown, low, medium, high or critical.
lat string The latitude of the asset 41.040855
long string The longitude of the asset 28.986183
city string The city in which the asset is located Chicago
country string The country in which the asset is located USA
bunit string The business unit of the asset EMEA, NorCal
category pipe-delimited strings A pipe-delimited list of logical classifications for assets. Used for asset and identity correlation and categorization. See Categories. server|web_farm|cloud
pci_domain pipe-delimited strings A pipe-delimited list of PCI domains. See Configure assets in the Splunk App for PCI Compliance Installation and Configuration Manual. trust, trust|wireless, trust|cardholder, trust|dmz, untrust
If left blank, defaults to untrust.
is_expected boolean Indicates whether events from this asset should always be expected. If set to true, the Expected Host Not Reporting correlation search performs an adaptive response action when this asset stops reporting events. "true", or blank to indicate "false"
should_timesync boolean Indicates whether this asset must be monitored for time-sync events. It set to true, the Should Timesync Host Not Syncing correlation search performs an adaptive response action if this asset does not report any time-sync events from the past 24 hours. "true", or blank to indicate "false"
should_update boolean Indicates whether this asset must be monitored for system update events. "true", or blank to indicate "false"
requires_av boolean Indicates whether this asset must have anti-virus software installed. "true", or blank to indicate "false"

Identity lookup header

identity,prefix,nick,first,last,suffix,email,phone,phone2,managedBy,priority,bunit,category,watchlist,startDate,endDate,work_city,work_country,work_lat,work_long

Identity lookup fields

Field Data type Description Example
identity pipe-delimited strings Required. A pipe-delimited list of username strings representing the identity. After the merge process completes, this field includes generated values based on the identity lookup configuration settings. a.vanhelsing|abraham.vanhelsing|a.vanhelsing@acmetech.org
prefix string Prefix of the identity. Ms., Mr.
nick string Nickname of an identity. Van Helsing
first string First name of an identity. Abraham
last string Last name of an identity. Van Helsing
suffix string Suffix of the identity. M.D., Ph.D
email string Email address of an identity. a.vanhelsing@acmetech.org
phone string A telephone number of an identity. 123-456-7890
phone2 string A secondary telephone number of an identity. 012-345-6789
managedBy string A username representing the manager of an identity. phb@acmetech.org
priority string The assigned priority of an identity. unknown, low, medium, high or critical.
bunit string A group or department classification for identities. Field Reps, EMEA, APAC
category pipe-delimited strings A pipe-delimited list of logical classifications for identities. Used for asset and identity correlation and categorization. See Categories. Privileged|Officer|CISO
watchlist boolean Marks the identity for activity monitoring. Accepted values: "true" or empty. See User Activity Monitoring in this manual.
startDate string The start or hire date of an identity. Formats: %m/%d/%Y %H:%M, %m/%d/%y %H:%M, %s
endDate string The end or termination date of an identity. Formats: %m/%d/%Y %H:%M, %m/%d/%y %H:%M, %s
work_city string The primary work site City for an identity.
work_country string The primary work site Country for an identity.
work_lat string The latitude of primary work site City in DD with compass direction. 37.78N
work_long string The longitude of primary work site City in DD with compass direction. 122.41W
Last modified on 28 June, 2017
How Splunk Enterprise Security processes and merges asset and identity data   Modify asset and identity lookups in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0 Cloud only


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters