Test the asset and identity merge process in Splunk Enterprise Security
You can test the asset and identity merge process if you want to confirm that the data produced by the merge process is expected and accurate. Run the saved searches that perform the merge process without outputting the data to the merged lookups to determine what the merge will do with your data without actually performing the merge. These steps are not required, but can be performed to validate the merge works as expected.
Test the merge process without performing a merge and outputting the data to a lookup.
- From the Splunk ES menu bar, select Configure > Content > Content Management.
- Locate the first of the three primary saved searches Identity - Asset CIDR Matches - Lookup Gen.
- Click the search name to open it.
- Copy the search from the Search field.
- Open the Search page.
- Paste the search and remove the
`output_*`macro. For example, change
| `asset_sources` | `make_assets_cidr` | `output_assets("SA-IdentityManagement", "assets_by_cidr.csv")`to
| `asset_sources` | `make_assets_cidr`.
- Run the search.
- Repeat steps 2-7 for the other two searches, Identity - Asset String Matches - Lookup Gen and Identity - Identity Matches - Lookup Gen.
Asset and identity fields after processing in Splunk Enterprise Security
Customize the asset and identity merge process in Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2, 7.0.0, 7.0.1