Splunk® Enterprise Security

Administer Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Turn off merge for assets and identities in

The merge process is turned on for assets and identities by default. However, in situations when you have a source file with duplication in the key fields, and you can't groom the file to make sure that the information belongs to the same asset or identity, then you have the option to turn off the merge process.

Prerequisites

Perform the following prerequisite tasks before starting on these settings:

  1. Collect and extract asset and identity data in .
  2. Format the asset or identity list as a lookup in .
  3. Configure a new asset or identity list in .

Turn off the merge process

Use the global settings to turn off or turn on merge as follows:

  1. From the menu bar, select Configure > Data Enrichment > Asset and Identity Management.
  2. Click the Global Settings tab.
  3. Scroll to the Activate / Turn on Merge for Assets or Identities panel.
  4. Use the toggle to turn on or turn off for Assets or Identities.

Example

Using assets as an example, consider a source file with duplicates in the key field of nt_host, such as the following: ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av
192.0.2.2,,host1,,,,,,,,,,,,,,
192.0.2.120,,host1,,,,,,,,,,,,,,
192.0.2.135,,host1,,,,,,,,,,,,,,
192.0.2.242,,host2,,,,,,,,,,,,,,
192.0.2.65,,host2,,,,,,,,,,,,,,

The default is to merge the three rows with nt_host of host1 into one asset, and merge the two rows with host2 into another asset.

asset ip nt_host pci_domain
192.0.2.2

192.0.2.120
192.0.2.135
host1

192.0.2.2

192.0.2.120
192.0.2.135

host1 untrust
192.0.2.242

192.0.2.65
host2

192.0.2.242

192.0.2.65

host2 untrust

If you turn off the merge, then the collection remains the same as the source file, and assets are not merged.

asset ip nt_host pci_domain
192.0.2.2

host1

192.0.2.2 host1 untrust
192.0.2.120

host1

192.0.2.120 host1 untrust
192.0.2.135

host1

192.0.2.135 host1 untrust
192.0.2.242

host2

192.0.2.242 host2 untrust
192.0.2.65

host2

192.0.2.65 host2 untrust

When you do a lookup on an non-merged collection, there is no context for how to resolve the overlapping key field values. For example, the asset_lookup_by_str lookup in transforms.conf has max_matches = 1, so the first host it matches in the assets_by_str collection is the only one you'll see in your search results.

Last modified on 11 August, 2023
Reset asset and identity collections immediately in   Turn on entity zones for assets and identities in

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters