Customize the asset and identity merge process in Splunk Enterprise Security
You can modify the saved searches that perform the asset and identity merge process to perform additional field transformations or data sanitization. Add any operations that you want to change in the merge process to the search before the
The saved searches that perform the asset and identity merge are as follows:
- Identity - Asset CIDR Matches - Lookup Gen
- Identity - Asset String Matches - Lookup Gen
- Identity - Identity Matches - Lookup Gen
Certain modifications to the saved searches are unsupported and could break the merge process or asset and identity correlation.
- Do not add or delete fields from the output.
- Do not change the output location to a different lookup table or a KV store collection.
- Do not replace the
`output_*`macros with the
Test the asset and identity merge process in Splunk Enterprise Security
Modify asset and identity lookups in Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2, 7.0.0, 7.0.1