Lookups that store merged asset and identity data in Splunk Enterprise Security
After the asset and identity merging process completes, four lookups store your asset and identity data.
Current
Function | Table name | Lookup name |
---|---|---|
String-based asset correlation | assets_by_str KV store collection | LOOKUP-zu-asset_lookup_by_str-dest LOOKUP-zu-asset_lookup_by_str-dvc LOOKUP-zu-asset_lookup_by_str-src |
CIDR subnet-based asset correlation | assets_by_cidr KV store collection | LOOKUP-zv-asset_lookup_by_cidr-dest LOOKUP-zv-asset_lookup_by_cidr-dvc LOOKUP-zv-asset_lookup_by_cidr-src |
String-based identity correlation | identities_expanded KV store collection | LOOKUP-zy-identity_lookup_expanded-src_user LOOKUP-zy-identity_lookup_expanded-user |
Default field correlation | identity_lookup_default_fields.csv asset_lookup_default_fields.csv |
LOOKUP-zz-asset_identity_lookup_default_fields-dest LOOKUP-zz-asset_identity_lookup_default_fields-dvc LOOKUP-zz-asset_identity_lookup_default_fields-src LOOKUP-zz-asset_identity_lookup_default_fields-src_user LOOKUP-zz-asset_identity_lookup_default_fields-user |
The main difference now is that three out of four tables are migrated from .csv files to KV store, and can store custom fields. The default field correlation is not migrated over to KV store at this time. The automatic lookups still remain in props.conf
.
5.3.1 and earlier
Function | Table name | Saved search | Lookup name |
---|---|---|---|
String-based asset correlation | assets_by_str.csv | Identity - Asset String Matches - Lookup Gen | LOOKUP-zu-asset_lookup_by_str-dest LOOKUP-zu-asset_lookup_by_str-dvc LOOKUP-zu-asset_lookup_by_str-src |
CIDR subnet-based asset correlation | assets_by_cidr.csv | Identity - Asset CIDR Matches - Lookup Gen | LOOKUP-zv-asset_lookup_by_cidr-dest LOOKUP-zv-asset_lookup_by_cidr-dvc LOOKUP-zv-asset_lookup_by_cidr-src |
String-based identity correlation | identities_expanded.csv | Identity - Identity Matches - Lookup Gen | LOOKUP-zy-identity_lookup_expanded-src_user LOOKUP-zy-identity_lookup_expanded-user |
Default field correlation | identity_lookup_default_fields.csv asset_lookup_default_fields.csv |
LOOKUP-zz-asset_identity_lookup_default_fields-dest LOOKUP-zz-asset_identity_lookup_default_fields-dvc LOOKUP-zz-asset_identity_lookup_default_fields-src LOOKUP-zz-asset_identity_lookup_default_fields-src_user LOOKUP-zz-asset_identity_lookup_default_fields-user |
How Splunk Enterprise Security processes and merges asset and identity data | Asset and identity fields after processing in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!