Manage asset field settings in Splunk Enterprise Security
You can add a new asset field, turn on case sensitive matching, revise multivalue field limits for assets.
Prerequisites
Perform the following prerequisite tasks before starting on these settings:
- Collect and extract asset and identity data in Splunk Enterprise Security.
- Format the asset or identity list as a lookup in Splunk Enterprise Security.
- Configure a new asset or identity list in Splunk Enterprise Security.
Add or edit an asset field
Asset fields are added both by default and by entering custom fields manually. You can add up to 20 custom fields for your lookups. Default key fields are dns
, ip
, mac
, nt_host
. You can configure whether a field is a key field, a tag field, a multivalue field, or all of the above.
To add a new custom asset field, do the following:
- From the Splunk Enterprise Security menu bar, select Configure > Data Enrichment > Asset and Identity Management.
- Click the Asset Fields tab.
- Click Add New Field.
- In the New Asset Field dialog box, do the following:
- Enter a field name.
- Check the Key check box to make this field a key. When merge is turned on, assets with the same values for this field are merged. The minimum number of key fields is one.
- Check the Tag check box if the field can be used as an asset tag. This is a helper field for holding additional values that you want to look up, in addition to the key fields. This is not the same as tagging in Splunk Enterprise.
- Check the Multivalue check box if the field can output multiple values.
- (Optional) Revise the Limit if you want to change the number of values that display in a multivalue field merge. See Revise field limits for assets.
- Click Save.
The Save button is turned off when the limit is reached and is turned on again when any custom field is deleted using the Delete action link.
If you want the merge process to merge on something other than dns
, ip
, mac
, nt_host
, you can edit the default key fields. To edit an asset field, do the following:
- From the Splunk Enterprise Security menu bar, select Configure > Data Enrichment > Asset and Identity Management.
- Click the Asset Fields tab.
- Click the field name that you want to edit.
- Check the Key check box to make this field a key. When merge is turned on, assets with the same values for this field are merged.
- Check the Tag check box if the field can be used as an asset tag. This is a helper field for holding additional values that you want to look up, in addition to the key fields. This is not the same as tagging in Splunk Enterprise.
- Check the Multivalue check box if the field can output multiple values.
- (Optional) Revise the Limit if you want to change the number of values that display in a multivalue field merge. See Revise field limits for assets.
- Click Save.
Turn on case-sensitive matching for asset fields
Case sensitive matching is globally available across all fields.
Note that searches using | inputlookup ... where <filter>
are case sensitive. Asset and Identity Management pages might use searches that contain where
clauses. When case sensitivity is set to false, the merge process stores the values as lowercase so that case insensitive matches can be performed. To avoid this, you can toggle the case sensitive settings to true.
To use case-sensitive matching, do the following:
- From the Splunk Enterprise Security menu bar, select Configure > Data Enrichment > Asset and Identity Management.
- Click the Asset Fields tab.
- Turn on the Activate / Turn on case sensitive asset matching switch.
- Click Update to trigger the merge process and rewrite the
asset_lookup_by_str
andasset_lookup_by_cidr
KV store collections.
Revise multivalue field limits for assets
The default number of multivalue asset fields that display after merging is 6 for key fields and 25 for non-key fields.
To revise multivalue field limits, perform the following steps:
- From the Splunk Enterprise Security menu bar, select Configure > Data Enrichment > Asset and Identity Management.
- Click the Asset Fields tab.
- Scroll to find the field name that you're looking for and do the following:
- Click on the link.
- Change the Field Limit value.
- Click Save.
The field value range for a non-key multivalue field is 1 - 100. The field value range for a key multivalue field is 1 - 25. The reason that the default multivalue key field limit is 6 for assets is because there are 4 key fields. If each key field contains 6 values, the merge process results in an asset field with 24 key values. Performance issues can occur when a resulting asset field contains 25 key values. You can set a key multivalue field to 25, but performance issues can also occur if multiple key fields have 25 values.
If your source CSV file contains more values in a multivalue field than the limit, these values are truncated during the merge process. This means that in addition to not being displayed in the results, they also are removed from the data altogether. If you search or lookup on the truncated values, you will not find them because they do not exist.
If your data gets truncated, you can revise key multivalue fields to 25, and non-key multivalue fields to 100. Raising the limits has the potential to impact performance.
If your data still gets truncated, but you want to see more than the maximum values, then you need to revise your source CSV files to spread out those values so that they seem to be part of different assets, by making sure that there are no duplicate values in the key fields.
Key fields are dns
, ip
, mac
, and nt_host
. If you store extra information in your key fields, such as the same IP address assigned to multiple systems, these duplicate IP addresses are now merged together as one asset. Make sure that the information in your key fields either belongs to the same asset or does not overlap.
Example of revising multivalue field limits
As an example, you have a source CSV file that contains 9 values in the mac
key field and 7 values in the bunit
field, such as the following:
ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av
192.0.2.2,mac1|mac2|mac3|mac4|mac5|mac6|mac7|mac8|mac9,host1,dns1,owner1,,,,,,bunit1|bunit2|bunit3|bunit4|bunit5|bunit6|bunit7,,,,,,
Using the default limit of 6 for the mac
multivalue key field and revising the limit to 5 for the bunit
multivalue field, these are merged into an asset where the mac
key field values are truncated to 6 and the bunit
non-key values are truncated to 5.
bunit | pci_domain | nt_host | ip | asset | asset_tag | mac | dns | owner |
---|---|---|---|---|---|---|---|---|
bunit1 |
untrust | host1 | 192.0.2.2 |
dns1 |
bunit1 |
mac1 |
dns1 | owner1 |
Manage asset lookup configuration policies in Splunk Enterprise Security | Manage identity lookup configuration policies in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2
Feedback submitted, thanks!