Splunk® Enterprise Security

Administer Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Reset asset and identity collections immediately in

All the asset and identity source files that are enabled in the Asset and Identity Management page get merged into the following default collections in the collections.conf file: assets_by_str, assets_by_cidr, or identities_expanded.

If your collections get into an undesirable state, you can reset your collections at any time, rather than waiting for the automated process to clear out the KV store collection. It's similar to clearing cache manually.

Prerequisites

Perform the following prerequisite tasks before starting on these settings:

  1. Collect and extract asset and identity data in .
  2. Format the asset or identity list as a lookup in .
  3. Configure a new asset or identity list in .

Reset your collections immediately

The Reset Collections button is globally available regardless if you are configuring in a particular tab.

  1. From the menu bar, select Configure > Data Enrichment > Asset and Identity Management.
  2. Click Reset Collections.

When the identity manager runs again in 5 minutes, it rebuilds the collections based on which source files are enabled in the Asset Lookup Configuration or the Identity Lookup Configuration.

Last modified on 22 November, 2021
Use the search preview to test the merge of asset and identity data in Splunk Enterprise Security   Disable merge for assets and identities in

This documentation applies to the following versions of Splunk® Enterprise Security: 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters