How Splunk Enterprise Security processes and merges asset and identity data
Splunk Enterprise Security takes the asset and identity data that you add as lookups and generates combined lookup files. Splunk Enterprise Security uses the generated lookup files to correlate asset and identity data with events using automatic lookups. The following steps describe this process at a high level.
- You collect asset and identity data from data sources using an add-on and a custom search or manually with a CSV file. See Collect and extract asset and identity data.
- The Splunk Enterprise Security identity manager modular input updates settings in the
- You format the data as a lookup, using a search or manually with a CSV file. See Format the asset or identity list as a lookup.
- You configure the list as a lookup table, definition, and input. See Configure a new asset or identity list.
- You create an identity lookup configuration. See Create an identity lookup configuration.
- The Splunk Enterprise Security identity manager modular input detects two things:
- Changed size of the CSV source file.
- Changed update time of the CSV source file.
The merging of identity and asset lookups does not validate or de-duplicate input. Errors from the identity manager modular input are logged in
identity_manager.log. This log does not show data errors.
Configure asset and identity correlation in Splunk Enterprise Security
Lookups that store merged asset and identity data in Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2