Splunk® Enterprise Security

Administer Splunk Enterprise Security

Download manual as PDF

Download topic as PDF

Configure a new asset or identity list in Splunk Enterprise Security

Configure a new asset or identity lookup in Splunk Enterprise Security. This multistep process adds the lookup in Splunk Enterprise Security and defines the lookup for the merge process.

Prerequisites

  1. Collect and extract asset and identity data in Splunk Enterprise Security.
  2. Format the asset or identity list as a lookup in Splunk Enterprise Security.

Steps

  1. Add the new lookup table file
  2. Set permissions on the lookup table file to share it with Splunk Enterprise Security
  3. Add a new lookup definition
  4. Set permissions on the lookup definition to share it with Splunk Enterprise Security

Add the new lookup table file

These lookup table files are consumed by the asset and identity framework and merged together. The product of the merge is called an "expanded lookup."

  1. From the Splunk menu bar, select Settings > Lookups > Lookup table files.
  2. Click New.
  3. Select a Destination App of SA-IdentityManagement.
  4. Select the lookup file to upload.
  5. Type the Destination filename that the lookup table file should have on the search head. The name should include the filename extension.
    For example, network_assets_from_CMDB.csv
  6. Click Save to save the lookup table file and return to the list of lookup table files.

In a distributed environment, these lookup table files are not replicated from the search heads to the indexers. Only the expanded lookup is replicated to the indexers. However, these lookup files are still replicated between search heads. If an asset or identity lookup table file grows in excess of 1GB+, it should be broken down into smaller files (for example, by location or by type or by easily identifiable category). When making changes to lookup files, only the updated files are replicated across search heads, reducing bundle sizes.

Set permissions on the lookup table file to share it with Splunk Enterprise Security

  1. From Lookup table files, locate the new lookup table file and select Permissions.
  2. Set Object should appear in to All apps.
  3. Set Read access for Everyone.
  4. Set Write access for admin or other roles.
  5. Click Save.

Add a new lookup definition

  1. From the Splunk menu bar, select Settings > Lookups > Lookup definitions.
  2. Click New.
  3. Select a Destination App of SA-IdentityManagement.
  4. Type a name for the lookup source. This name must match the name defined later in the input stanza definition on the Identity Management dashboard.
    For example, network_assets_from_CMDB.
  5. Select a Type of File based.
  6. Select the lookup table file created.
    For example, select network_assets_from_CMDB.csv.
  7. Click Save.

Set permissions on the lookup definition to share it with Splunk Enterprise Security

  1. From Lookup definitions, locate the new lookup definition and select Permissions.
  2. Set Object should appear in to All apps.
  3. Set Read access for Everyone.
  4. Set Write access for admin or other roles.
  5. Click Save.

Next step

Manage assets and identities in Splunk Enterprise Security.

PREVIOUS
Format an asset or identity list as a lookup in Splunk Enterprise Security
  NEXT
Manage assets and identities in Splunk Enterprise Security

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters