Splunk® Enterprise Security

Administer Splunk Enterprise Security

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Manage asset and identity upon upgrade

When you upgrade the Splunk Enterprise Security app to versions 6.0 or higher, you may see the following issues:

Recover Asset and Identity Management page

You may not see the Asset and Identity Management page after you upgrade to Enterprise Security 6.0 or higher, especially if you customized the menu bar in the Splunk Enterprise Security app. You have the option to restore the default Assets and Identity Management page or revert to your previous Asset and Identity Management page.

For more information on how to restore the default navigation menu bar for assets and identities, see Restore the default navigation.

Avoid merged assets and identities data

When you upgrade to Splunk Enterprise Security 6.2 or higher, your asset collection may not retain the settings that were specified in your .csv files. Instead, your assets and identities may be merged into rows, which potentially contain overlapping or duplicate information. This happens because the app automatically overwrites the old assets and identity collections.

For example, consider a source file with duplicates in the key field of nt_host, such as the following:

192.0.2.2,,host1,,,,,,,,,,,,,,
192.0.2.120,,host1,,,,,,,,,,,,,,
192.0.2.135,,host1,,,,,,,,,,,,,,
192.0.2.242,,host2,,,,,,,,,,,,,,
192.0.2.65,,host2,,,,,,,,,,,,,,

In this example, host1 is assigned to three different IP addresses and host2 assigned to two different IP addresses. In previous versions of Splunk Enterprise Security, the display of the Asset and Identity management page would retain the correlations established in the .csv files of the asset collection as follows:

asset ip nt_host pci_domain
192.0.2.2

host1

192.0.2.2 host1 untrust
192.0.2.120

host1

192.0.2.120 host1 untrust
192.0.2.135

host1

192.0.2.135 host1 untrust
192.0.2.242

host2

192.0.2.242 host2 untrust
192.0.2.65

host2

192.0.2.65 host2 untrust

However, post upgrade the three rows with nt_host of host1 will be merged into one asset, and the two rows with host2 may be merged into another asset as follows:

asset ip nt_host pci_domain
192.0.2.2

192.0.2.120
192.0.2.135
host1

192.0.2.2

192.0.2.120
192.0.2.135

host1 untrust
192.0.2.242

192.0.2.65
host2

192.0.2.242

192.0.2.65

host2 untrust

To avoid merged rows from being displayed in the Assets and Identities page, you may clean up the source data. For more information on cleaning your source data, see Maintain data hygiene.

Alternatively, you have the option of disabling the merge so that the collection remains the same as the source file and you do not see merged rows in your display. However, you must upgrade to Splunk Enterprise Security 6.2.0 to disable the merge. For more information on enabling or disabling the merge, see Enable merge for assets or identities.

Finally, you may also limit the maximum number of merges for each row by upgrading to Splunk Enterprise Security versions 6.0.2 or 6.1.1. For more information on upgrading to Enterprise Security 6.0.2 or 6.1.1, see Upgrade to Splunk Enterprise Security 6. 0.2 or 6.1.1.

Maintain data hygiene by cleaning source data

Avoid merged rows and maintain data hygiene by cleaning asset and identity source data and removing duplicate fields or values. Long merged rows of data should be cleaned to avoid performance issues.

Splunk Enterprise Security versions 6.1.1 and higher may truncate the long merged rows of data based on the multivalue limits set for each field. However, for Splunk Enterprise Security versions 6.0.2 truncation may be possible without configuring the multivalue limits.

Rows may be merged when any of the following scenarios occur:

  • If the source data has two separate rows, which contain dns="splunk.com", then the rows are merged post upgrade.
  • If you input any of the following values "NULL", "null", "N/A", "blank", or "none" in one of the four "key" fields nt_host, ip, mac, or dns, and if these values are not empty zero-byte string, the values are merged to avoid duplication.

For Splunk Enterprise Security 6.1.1 and 6.2.0, the following input values: "null", "n/a", "unknown", "undefined" are not merged, but ignored.

  • If there are multiple rows with dns="undefined" and other rows with nt_host="undefined", all rows in the lookup may be merged even though the IP addresses are different. The resulting merged row may cause search performance issues.

Upgrade to Splunk Enterprise Security 6.0.2 or 6.1.1

If you do not have the option to clean you source data, you may limit the maximum number of merges for each row. You may do this by upgrading to Splunk Enterprise Security versions 6.0.2 or 6.1.1 and including the maximum limit values for the distributed lookups.

For more information on multivalue field limits for assets, see Multivalue field limits for assets. For more information on multivalue field limits for identities, see Multivalue field limits for identities.

For more information on Splunk Enterprise Security compatibility matrix, see Compatibility matrix.

Recover previous view of Assets and Identities Navigation page

If you do not wish to restore the default navigation menu, you can append the following path: /app/SplunkEnterpriseSecuritySuite/ess_entity_management to your Splunk server URL and revert to your previous Assets and Identity Management page.

Last modified on 21 October, 2020
PREVIOUS
Add asset and identity data to Splunk Enterprise Security
  NEXT
Collect and extract asset and identity data in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters