Splunk® Enterprise Security

Administer Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Modify asset and identity lookups

Make changes to the asset and identity lookups in Splunk Enterprise Security to add new assets or identities, or change existing values in the lookup tables. You can also turn on or turn off existing lookups.

Edit asset and identity lookups

Edit an asset or identity lookup in the Identity Management dashboard.

  1. In Enterprise Security, select Configure > Data Enrichment > Identity Management.
  2. Find the name of the asset or identity list you want to edit, and select Source. The list opens in an interactive editor.
  3. Use the scroll bars to view the columns and rows in the table. Double click a cell to add, change, or remove content.
  4. Click Save when you are finished.

Changes made to an asset or identity list will be reflected in search results after the next scheduled merge. See How Splunk Enterprise Security processes and merges asset and identity data.

Turn on or turn off asset and identity lookups

Turn on or turn off an asset or identity lookup input. Turn off an input to prevent the contents of the corresponding list from being included in the merge process. Turn on a deactivated input to allow the associated list to be merged at the next scheduled merge of the asset or identity data. Disabling an input does not delete the data from the associated lookup from Splunk Enterprise Security.

  1. In Enterprise Security, select Configure > Data Enrichment > Identity Management.
  2. Locate the asset or identity lookup you want to turn off.
  3. Click Deactivate / Turn off or Activate / Turn on.

Starting with version 5.0.0, asset and identity lookup inputs are turned off by default after installation. Local settings are respected after an upgrade.

Turn off the demo asset and identity lookups

The demo asset and identity lookups are turned off by default. Turn off the demo asset and identity lookups to prevent the demo data from being added to the primary asset and identity lookups used by Splunk Enterprise Security for asset and identity correlation. After you turn off the demo data lookups, saved searches update the primary asset and identity lookups and removes the data from the turned off lookups from the primary lookups.

  1. In Enterprise Security, select Configure > Data Enrichment > Identity Management.
  2. Locate the demo_assets and demo_identities lookups.
  3. Click Deactivate / Turn off for each.

Include or exclude asset or identity lookups from bundle replication

Starting in version 4.7.0, the asset and identity source lookup files are excluded from bundle replication in an indexer cluster by default. The merged lookup files are still included in bundle replication to support asset and identity correlation. See Lookups that store merged asset and identity data in Splunk Enterprise Security for the lookup files that continue to be included in bundle replication.

Changing the default to include asset and identity lookup files in bundle replication might reduce system performance.

  1. In Enterprise Security, select Configure > Data Enrichment > Identity Management.
  2. Click the lookup that you want to include or exclude from bundle replication.
  3. Select or deselect the check box for Denylist. If selected, the lookup file is excluded from bundle replication.

You can only make this change if the "Activate / Turn on Identity Generation Autoupdate" setting is set to "true". See Configure general settings for Splunk Enterprise Security.

Last modified on 11 August, 2023
Asset and identity fields after processing in Splunk Enterprise Security   Overwrite asset or identity data with entitymerge in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2, 7.0.0, 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters