Lookups that store merged asset and identity data in Splunk Enterprise Security
After the asset and identity merging process completes, four lookups store your asset and identity data.
Function | Table name | Saved search | Lookup name |
---|---|---|---|
String-based asset correlation | assets_by_str.csv | Identity - Asset String Matches - Lookup Gen | LOOKUP-zu-asset_lookup_by_str-dest LOOKUP-zu-asset_lookup_by_str-dvc LOOKUP-zu-asset_lookup_by_str-src |
CIDR subnet-based asset correlation | assets_by_cidr.csv | Identity - Asset CIDR Matches - Lookup Gen | LOOKUP-zv-asset_lookup_by_cidr-dest LOOKUP-zv-asset_lookup_by_cidr-dvc LOOKUP-zv-asset_lookup_by_cidr-src |
String-based identity correlation | identities_expanded.csv | Identity - Identity Matches - Lookup Gen | LOOKUP-zy-identity_lookup_expanded-src_user LOOKUP-zy-identity_lookup_expanded-user |
Default field correlation | identity_lookup_default_fields.csv asset_lookup_default_fields.csv |
LOOKUP-zz-asset_identity_lookup_default_fields-dest LOOKUP-zz-asset_identity_lookup_default_fields-dvc LOOKUP-zz-asset_identity_lookup_default_fields-src LOOKUP-zz-asset_identity_lookup_default_fields-src_user LOOKUP-zz-asset_identity_lookup_default_fields-user |
For more information about the asset and identity merge process, see How Splunk Enterprise Security processes and merges asset and identity data.
How Splunk Enterprise Security processes and merges asset and identity data | Asset and identity fields after processing in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1
Feedback submitted, thanks!