Splunk® Enterprise Security

Administer Splunk Enterprise Security

Turn off merge for assets and identities in

The merge process is turned on for assets and identities by default. However, in situations when you have a source file with duplication in the key fields, and you can't groom the file to make sure that the information belongs to the same asset or identity, then you have the option to turn off the merge process.


Perform the following prerequisite tasks before starting on these settings:

  1. Collect and extract asset and identity data in .
  2. Format the asset or identity list as a lookup in .
  3. Configure a new asset or identity list in .

Turn off the merge process

Use the global settings to turn off or turn on merge as follows:

  1. From the menu bar, select Configure > Data Enrichment > Asset and Identity Management.
  2. Click the Global Settings tab.
  3. Scroll to the Activate / Turn on Merge for Assets or Identities panel.
  4. Use the toggle to turn on or turn off for Assets or Identities.


Using assets as an example, consider a source file with duplicates in the key field of nt_host, such as the following: ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av,,host1,,,,,,,,,,,,,,,,host1,,,,,,,,,,,,,,,,host1,,,,,,,,,,,,,,,,host2,,,,,,,,,,,,,,,,host2,,,,,,,,,,,,,,

The default is to merge the three rows with nt_host of host1 into one asset, and merge the two rows with host2 into another asset.

asset ip nt_host pci_domain

host1 untrust

host2 untrust

If you turn off the merge, then the collection remains the same as the source file, and assets are not merged.

asset ip nt_host pci_domain

host1 host1 untrust

host1 host1 untrust

host1 host1 untrust

host2 host2 untrust

host2 host2 untrust

When you do a lookup on an non-merged collection, there is no context for how to resolve the overlapping key field values. For example, the asset_lookup_by_str lookup in transforms.conf has max_matches = 1, so the first host it matches in the assets_by_str collection is the only one you'll see in your search results.

Last modified on 11 August, 2023
Reset asset and identity collections immediately in   Turn on entity zones for assets and identities in

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters