Use the search preview to test the merge of asset and identity data in Splunk Enterprise Security
You can test the asset and identity merge process if you want to confirm that the data produced by the merge process is expected and accurate. You can run the search previews to determine what the merge will do with your data without actually performing the merge. These steps aren't required, but can be performed to validate the merge works as expected.
If you used previous versions of ES, note that the search preview shows you the dynamic custom search that replaces the following correlation searches:
- Identity - Asset CIDR Matches - Lookup Gen
- Identity - Asset String Matches - Lookup Gen
- Identity - Identity Matches - Lookup Gen
To preview all your asset and identity searches, do the following:
- From the Splunk Enterprise Security menu bar, select Configure > Data Enrichment > Asset and Identity Management.
- Click the Search Preview tab.
- You can run the search preview for each collection, the lookups of which are located in the transforms.conf file:
- asset_lookup_by_str is the lookup for the assets_by_str collection.
- asset_lookup_by_cidr is the lookup for the assets_by_cidr collection.
- identity_lookup_expanded is the lookup for the identities_expanded collection.
The search preview looks into all your lookup tables and creates custom-built searches with what is currently in your inputs.conf file. The search is dynamic and generates the search each time you refresh or load the page. The results of these searches are the delta since the last merge. If nothing has changed in the source files since the last merge, you do not see any output.
If you want to see some output regardless if anything has changed, you can remove the
inputlookup append=T SPL from the search. For example, in the case of identities, you would remove:
| inputlookup append=T "identity_lookup_expanded" from the identity_lookup_expanded search.
Manage correlation setup in Splunk Enterprise Security
Verify that your asset and identity data was added to Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0