Splunk® Enterprise Security

Administer Splunk Enterprise Security

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Manage asset field settings in Splunk Enterprise Security

You can add a new asset field, enable case sensitive matching, revise multivalue field limits for assets.

Prerequisites

Perform the following prerequisite tasks before starting on these settings:

  1. Collect and extract asset and identity data in Splunk Enterprise Security.
  2. Format the asset or identity list as a lookup in Splunk Enterprise Security.
  3. Configure a new asset or identity list in Splunk Enterprise Security.

Add or edit an asset field

Asset fields are added both by default and by entering custom fields manually. You can add up to 20 custom fields for your lookups. Default key fields are dns, ip, mac, nt_host. You can configure whether a field is a key field, a tag field, a multivalue field, or all of the above.

To add a new custom asset field, do the following:

  1. From the Splunk Enterprise Security menu bar, select Configure > Data Enrichment > Asset and Identity Management.
  2. Click the Asset Settings tab.
  3. Click Add New Field.
  4. In the New Asset Field dialog box, do the following:
    1. Enter a field name.
    2. Check the Key check box to make this field a key. When merge is enabled, assets with the same values for this field are merged. The minimum number of key fields is one.
    3. Check the Tag check box if the field can be used as an asset tag. This is a helper field for holding additional values that you want to look up, in addition to the key fields. This is not the same as tagging in Splunk Enterprise.
    4. Check the Multivalue check box if the field can output multiple values.
    5. (Optional) Revise the Limit if you want to change the number of values that display in a multivalue field merge. See Revise field limits for assets.
    6. Click Save.

The Save button is disabled when the limit is reached and is enabled again when any custom field is deleted using the Delete action link.

If you want the merge process to merge on something other than dns, ip, mac, nt_host, you can edit the default key fields. To edit an asset field, do the following:

  1. From the Splunk Enterprise Security menu bar, select Configure > Data Enrichment > Asset and Identity Management.
  2. Click the Asset Settings tab.
  3. Click the field name that you want to edit.
    1. Check the Key check box to make this field a key. When merge is enabled, assets with the same values for this field are merged.
    2. Check the Tag check box if the field can be used as an asset tag. This is a helper field for holding additional values that you want to look up, in addition to the key fields. This is not the same as tagging in Splunk Enterprise.
    3. Check the Multivalue check box if the field can output multiple values.
    4. (Optional) Revise the Limit if you want to change the number of values that display in a multivalue field merge. See Revise field limits for assets.
    5. Click Save.

Enable case-sensitive matching for asset fields

Case sensitive matching is globally available across all fields.

Note that searches using | inputlookup ... where <filter> are case sensitive. Asset and Identity Management pages might use searches that contain where clauses. When case sensitivity is set to false, the merge process stores the values as lowercase so that case insensitive matches can be performed. To avoid this, you can toggle the case sensitive settings to true.

To use case-sensitive matching, do the following:

  1. From the Splunk Enterprise Security menu bar, select Configure > Data Enrichment > Asset and Identity Management.
  2. Click the Asset Settings tab.
  3. Enable the Enable case sensitive asset matching switch.
  4. Click Update to trigger the merge process and rewrite the asset_lookup_by_str and asset_lookup_by_cidr KV store collections.

Revise multivalue field limits for assets

The default number of multivalue asset fields that display after merging is 6 for key fields and 25 for non-key fields.

To revise multivalue field limits, perform the following steps:

  1. From the Splunk Enterprise Security menu bar, select Configure > Data Enrichment > Asset and Identity Management.
  2. Click the Asset Settings tab.
  3. Scroll to find the field name that you're looking for and do the following:
    1. Click on the link.
    2. Change the Field Limit value.
  4. Click Save.

The field value range for a non-key multivalue field is 1 - 100. The field value range for a key multivalue field is 1 - 25. The reason that the default multivalue key field limit is 6 for assets is because there are 4 key fields. If each key field contains 6 values, the merge process results in an asset field with 24 key values. Performance issues can occur when a resulting asset field contains 25 key values. You can set a key multivalue field to 25, but performance issues can also occur if multiple key fields have 25 values.

If your source CSV file contains more values in a multivalue field than the limit, these values are truncated during the merge process. This means that in addition to not being displayed in the results, they also are removed from the data altogether. If you search or lookup on the truncated values, you will not find them because they do not exist.

If your data gets truncated, you can revise key multivalue fields to 25, and non-key multivalue fields to 100. Raising the limits has the potential to impact performance.

If your data still gets truncated, but you want to see more than the maximum values, then you need to revise your source CSV files to spread out those values so that they seem to be part of different assets, by making sure that there are no duplicate values in the key fields.

Key fields are dns, ip, mac, and nt_host. If you store extra information in your key fields, such as the same IP address assigned to multiple systems, these duplicate IP addresses are now merged together as one asset. Make sure that the information in your key fields either belongs to the same asset or does not overlap.

Example of revising multivalue field limits

As an example, you have a source CSV file that contains 9 values in the mac key field and 7 values in the bunit field, such as the following:

ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av
192.0.2.2,mac1|mac2|mac3|mac4|mac5|mac6|mac7|mac8|mac9,host1,dns1,owner1,,,,,,bunit1|bunit2|bunit3|bunit4|bunit5|bunit6|bunit7,,,,,,

Using the default limit of 6 for the mac multivalue key field and revising the limit to 5 for the bunit multivalue field, these are merged into an asset where the mac key field values are truncated to 6 and the bunit non-key values are truncated to 5.

bunit pci_domain nt_host ip asset asset_tag mac dns owner

bunit1
bunit2
bunit3
bunit4
bunit5

untrust host1 192.0.2.2

dns1
192.0.2.2
mac1
mac2
mac3
mac4
mac5
mac6
host1

bunit1
bunit2
bunit3
bunit4
bunit5

mac1
mac2
mac3
mac4
mac5
mac6
mac7
mac8
mac9

dns1 owner1
Last modified on 30 July, 2020
PREVIOUS
Manage asset lookup configuration policies in Splunk Enterprise Security
  NEXT
Manage identity lookup configuration policies in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.3.0 Cloud only, 6.4.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters