This documentation does not apply to the most recent version of Splunk® Enterprise Security.
For documentation on the most recent version, go to the latest release.
Lookups that store merged asset and identity data in Splunk Enterprise Security
After the asset and identity merging process completes, four lookups store your asset and identity data.
| Function | Table name | Saved search | Lookup name |
|---|---|---|---|
| String-based asset correlation | assets_by_str.csv | Identity - Asset String Matches - Lookup Gen | LOOKUP-zu-asset_lookup_by_str-dest LOOKUP-zu-asset_lookup_by_str-dvc LOOKUP-zu-asset_lookup_by_str-src |
| CIDR subnet-based asset correlation | assets_by_cidr.csv | Identity - Asset CIDR Matches - Lookup Gen | LOOKUP-zv-asset_lookup_by_cidr-dest LOOKUP-zv-asset_lookup_by_cidr-dvc LOOKUP-zv-asset_lookup_by_cidr-src |
| String-based identity correlation | identities_expanded.csv | Identity - Identity Matches - Lookup Gen | LOOKUP-zy-identity_lookup_expanded-src_user LOOKUP-zy-identity_lookup_expanded-user |
| Default field correlation | identity_lookup_default_fields.csv asset_lookup_default_fields.csv |
LOOKUP-zz-asset_identity_lookup_default_fields-dest LOOKUP-zz-asset_identity_lookup_default_fields-dvc LOOKUP-zz-asset_identity_lookup_default_fields-src LOOKUP-zz-asset_identity_lookup_default_fields-src_user LOOKUP-zz-asset_identity_lookup_default_fields-user |
For more information about the asset and identity merge process, see How Splunk Enterprise Security processes and merges asset and identity data.
Last modified on 09 September, 2019
| How Splunk Enterprise Security processes and merges asset and identity data | Asset and identity fields after processing in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1
Download manual
Feedback submitted, thanks!