Manage asset and identity upon upgrade
When you upgrade the Splunk Enterprise Security app to versions 6.0 or higher, you may see the following issues:
- The Asset and Identity Management navigation bar and page does not display if you have customized the menu bar in Splunk Enterprise Security. See Restore the default navigation or Recover the new view of Assets and Identities Navigation page.
- The Asset and Identity page merges the data for your assets and identities after the upgrade. For more information on how to avoid merged rows to display, see Avoid merged assets and identities data.
- The asset and identity collections, search previews, and search results may display differently from before the upgrade. To restore the previous view that you had prior to the upgrade, see Recover the new view of Assets and Identities Navigation page.
- The Asset and Identity page does not enable access to some of your previously saved macros. You may no longer be able to access saved macros if they were not documented for public use.
Recover Asset and Identity Management page
You may not see the Asset and Identity Management page after you upgrade to Enterprise Security 6.0 or higher, especially if you customized the menu bar in the Splunk Enterprise Security app. You have the option to restore the default Assets and Identity Management page or revert to your previous Asset and Identity Management page.
For more information on how to restore the default navigation menu bar for assets and identities, see Restore the default navigation.
Avoid merged assets and identities data
When you upgrade to Splunk Enterprise Security 6.2 or higher, your asset collection may not retain the settings that were specified in your .csv files. Instead, your assets and identities may be merged into rows, which potentially contain overlapping or duplicate information. This happens because the app automatically overwrites the old assets and identity collections.
For example, consider a source file with duplicates in the key field of
nt_host, such as the following:
In this example,
host1 is assigned to three different IP addresses and
host2 assigned to two different IP addresses. In previous versions of Splunk Enterprise Security, the display of the Asset and Identity management page would retain the correlations established in the .csv files of the asset collection as follows:
However, post upgrade the three rows with
host1 will be merged into one asset, and the two rows with
host2 may be merged into another asset as follows:
To avoid merged rows from being displayed in the Assets and Identities page, you may clean up the source data. For more information on cleaning your source data, see Maintain data hygiene.
Alternatively, you have the option of disabling the merge so that the collection remains the same as the source file and you do not see merged rows in your display. However, you must upgrade to Splunk Enterprise Security 6.2.0 to disable the merge. For more information on enabling or disabling the merge, see Disable merge for assets or identities.
Finally, you may also limit the maximum number of merges for each row by upgrading to Splunk Enterprise Security versions 6.0.2 or 6.1.1. For more information on upgrading to Enterprise Security 6.0.2 or 6.1.1, see Upgrade to Splunk Enterprise Security 6. 0.2 or 6.1.1.
Maintain data hygiene by cleaning source data
Avoid merged rows and maintain data hygiene by cleaning asset and identity source data and removing duplicate fields or values. Long merged rows of data should be cleaned to avoid performance issues.
Splunk Enterprise Security versions 6.1.1 and higher may truncate the long merged rows of data based on the multivalue limits set for each field. However, for Splunk Enterprise Security versions 6.0.2 truncation may be possible without configuring the multivalue limits.
Rows may be merged when any of the following scenarios occur:
- If the source data has two separate rows, which contain
dns="splunk.com", then the rows are merged post upgrade.
- If you input any of the following values
"none"in one of the four "key" fields
dns, and if these values are not empty zero-byte string, the values are merged to avoid duplication.
For Splunk Enterprise Security 6.1.1 and 6.2.0, the following input values:
"undefined" are not merged, but ignored.
- If there are multiple rows with
dns="undefined"and other rows with
nt_host="undefined", all rows in the lookup may be merged even though the IP addresses are different. The resulting merged row may cause search performance issues.
Upgrade to Splunk Enterprise Security 6.0.2 or 6.1.1
If you do not have the option to clean you source data, you may limit the maximum number of merges for each row. You may do this by upgrading to Splunk Enterprise Security versions 6.0.2 or 6.1.1 and including the maximum limit values for the distributed lookups.
For more information on multivalue field limits for assets, see Multivalue field limits for assets. For more information on multivalue field limits for identities, see Multivalue field limits for identities.
For more information on Splunk Enterprise Security compatibility matrix, see Compatibility matrix.
If you prefer not to restore the default navigation menu, you can append the following path to your Splunk server URL to go directly to the new Assets and Identities Navigation page:
Add asset and identity data to Splunk Enterprise Security
Collect and extract asset and identity data in Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0
Feedback submitted, thanks!