Disable merge for assets and identities in Splunk Enterprise Security
The merge process is enabled for assets and identities by default. However, in situations when you have a source file with duplication in the key fields, and you can't groom the file to make sure that the information belongs to the same asset or identity, then you have the option to disable the merge process.
Perform the following prerequisite tasks before starting on these settings:
- Collect and extract asset and identity data in Splunk Enterprise Security.
- Format the asset or identity list as a lookup in Splunk Enterprise Security.
- Configure a new asset or identity list in Splunk Enterprise Security.
Disable the merge process
Use the global settings to enable or disable merge as follows:
- From the Splunk Enterprise Security menu bar, select Configure > Data Enrichment > Asset and Identity Management.
- Click the Global Settings tab.
- Scroll to the Enable Merge for Assets or Identities panel.
- Use the toggle to enable or disable for Assets or Identities.
Using assets as an example, consider a source file with duplicates in the key field of
nt_host, such as the following:
The default is to merge the three rows with
host1 into one asset, and merge the two rows with
host2 into another asset.
If you disable the merge, then the collection remains the same as the source file, and assets are not merged.
When you do a lookup on an non-merged collection, there is no context for how to resolve the overlapping key field values. For example, the asset_lookup_by_str lookup in transforms.conf has
max_matches = 1, so the first host it matches in the assets_by_str collection is the only one you'll see in your search results.
Reset asset and identity collections immediately in Splunk Enterprise Security
Enable entity zones for assets and identities in Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 6.4.0, 6.4.1