Asset and identity fields after processing in Splunk Enterprise Security
The following tables describe the fields that exist in the asset and identity lookups after Splunk Enterprise Security finishes processing the source lookup files. These fields are the fields present in the lookups that store merged asset and identity data. See Lookups that store merged asset and identity data in Splunk Enterprise Security.
The tables below list the default asset and identity fields in the KV store collections after the merge process completes. However, take note that it is possible to revise fields from multivalue to single, and tag or untag fields. It is also possible to add custom fields.
Asset fields after processing
Asset fields of the asset lookup after the saved searches perform the merge process.
| Field | Action taken by ETL |
|---|---|
| bunit | unchanged |
| city | unchanged |
| country | unchanged |
| dns | Accepts all values and converts them to a multi-value field. |
| lat | unchanged |
| long | unchanged |
| mac | Accepts all values and converts them to a multi-value field. |
| nt_host | Accepts all values and converts them to a multi-value field. |
| owner | unchanged |
| priority | unchanged |
| asset_id | Generated from the values of dns, ip, mac, and nt_host fields. |
| asset_tag | By default, generated from the values of category, pci_domain, is_expected, should_timesync, should_update, requires_av, and bunit fields. Also custom generated from assets that have been tagged. See Asset Settings. |
| category | Appends "pci" if the value contains "cardholder". Accepts all values and converts them to a multi-value field. |
| ip | Validates and splits the field into CIDR subnets as necessary. Accepts all values and converts them to a multi-value field. |
| pci_domain | Appends "trust" or "untrust" based on certain field values. Accepts all values and converts them to a multi-value field. |
| is_expected | Normalized to a boolean. |
| should_timesync | Normalized to a boolean. |
| should_update | Normalized to a boolean. |
| requires_av | Normalized to a boolean. |
| asset | Generated by the ip, mac, nt_host, and dns fields after the original fields are transformed. |
Identity fields after processing
Identity fields of the identity lookup after the saved searches perform the merge process.
| Field | Action taken by ETL |
|---|---|
| bunit | unchanged |
| unchanged | |
| endDate | unchanged |
| first | unchanged |
| last | unchanged |
| managedBy | unchanged |
| nick | unchanged |
| phone | unchanged, multivalue |
| prefix | unchanged |
| priority | unchanged |
| startDate | unchanged |
| suffix | unchanged |
| work_city | unchanged |
| work_country | unchanged |
| work_lat | unchanged |
| work_long | unchanged |
| watchlist | Normalized to a boolean. |
| category | Appends "pci" if the value contains "cardholder". Accepts all values and converts them to a multi-value field. |
| identity | Generated based on values in the input row and conventions specified in the Identity Lookup Configuration. Accepts all values and converts them to a multi-value field. |
| identity_id | Generated from the values of identity, first, last, and email. |
| identity_tag | By default, generated from the values of bunit, category, and watchlist. Also custom generated from assets that have been tagged. See Identity Settings. |
| Lookups that store merged asset and identity data in Splunk Enterprise Security | Modify asset and identity lookups |
This documentation applies to the following versions of Splunk® Enterprise Security: 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0
Download manual
Feedback submitted, thanks!