Splunk® Enterprise Security

Administer Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Asset and identity fields after processing in Splunk Enterprise Security

The following tables describe the fields that exist in the asset and identity lookups after Splunk Enterprise Security finishes processing the source lookup files. These fields are the fields present in the lookups that store merged asset and identity data. See Lookups that store merged asset and identity data in Splunk Enterprise Security.

For more information about the merge process, see How Splunk Enterprise Security processes and merges asset and identity data.

Asset fields after processing

Asset fields of the asset lookup after the saved searches perform the merge process.

Field Action taken by ETL
bunit unchanged
city unchanged
country unchanged
dns Accepts pipe-delimited values and converts them to a multi-value field.
lat unchanged
long unchanged
mac Accepts pipe-delimited values and converts them to a multi-value field.
nt_host Accepts pipe-delimited values and converts them to a multi-value field.
owner unchanged
priority unchanged
asset_id Generated from the values of dns, ip, mac, and nt_host fields.
asset_tag Generated from the values of category, pci_domain, is_expected, should_timesync, should_update, requires_av, and bunit fields.
category Appends "pci" if the value contains "cardholder". Accepts pipe-delimited values and converts them to a multi-value field.
ip Validates and splits the field into CIDR subnets as necessary. Accepts pipe-delimited values and converts them to a multi-value field.
pci_domain Appends "trust" or "untrust" based on certain field values. Accepts pipe-delimited values and converts them to a multi-value field.
is_expected Normalized to a boolean.
should_timesync Normalized to a boolean.
should_update Normalized to a boolean.
requires_av Normalized to a boolean.
key Generated by the ip, mac, nt_host, and dns fields after the original fields are transformed.

Identity fields after processing

Identity fields of the identity lookup after the saved searches perform the merge process.

Field Action taken by ETL
bunit unchanged
email unchanged
endDate unchanged
first unchanged
last unchanged
managedBy unchanged
nick unchanged
phone unchanged
phone2 unchanged
prefix unchanged
priority unchanged
startDate unchanged
suffix unchanged
work_city unchanged
work_country unchanged
work_lat unchanged
work_long unchanged
watchlist Normalized to a boolean.
category Appends "pci" if the value contains "cardholder". Accepts pipe-delimited values and converts them to a multi-value field.
identity Generated based on values in the input row and conventions specified in the Identity Lookup Configuration. Accepts pipe-delimited values and converts them to a multi-value field.
identity_id Generated from the values of identity, first, last, and email.
identity_tag Generated from the values of bunit, category, and watchlist.
Last modified on 11 September, 2019
Lookups that store merged asset and identity data in Splunk Enterprise Security   Test the asset and identity merge process in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters