Splunk® Enterprise Security

Administer Splunk Enterprise Security

Lookups that store merged asset and identity data in Splunk Enterprise Security

After the asset and identity merging process completes, four lookups store your asset and identity data.

Current

Function Table name Lookup name
String-based asset correlation assets_by_str KV store collection LOOKUP-zu-asset_lookup_by_str-dest
LOOKUP-zu-asset_lookup_by_str-dvc
LOOKUP-zu-asset_lookup_by_str-src
CIDR subnet-based asset correlation assets_by_cidr KV store collection LOOKUP-zv-asset_lookup_by_cidr-dest
LOOKUP-zv-asset_lookup_by_cidr-dvc
LOOKUP-zv-asset_lookup_by_cidr-src
String-based identity correlation identities_expanded KV store collection LOOKUP-zy-identity_lookup_expanded-src_user
LOOKUP-zy-identity_lookup_expanded-user
Default field correlation identity_lookup_default_fields.csv
asset_lookup_default_fields.csv
LOOKUP-zz-asset_identity_lookup_default_fields-dest
LOOKUP-zz-asset_identity_lookup_default_fields-dvc
LOOKUP-zz-asset_identity_lookup_default_fields-src
LOOKUP-zz-asset_identity_lookup_default_fields-src_user
LOOKUP-zz-asset_identity_lookup_default_fields-user

The main difference now is that three out of four tables are migrated from .csv files to KV store, and can store custom fields. The default field correlation is not migrated over to KV store at this time. The automatic lookups still remain in props.conf.

5.3.1 and earlier

Function Table name Saved search Lookup name
String-based asset correlation assets_by_str.csv Identity - Asset String Matches - Lookup Gen LOOKUP-zu-asset_lookup_by_str-dest
LOOKUP-zu-asset_lookup_by_str-dvc
LOOKUP-zu-asset_lookup_by_str-src
CIDR subnet-based asset correlation assets_by_cidr.csv Identity - Asset CIDR Matches - Lookup Gen LOOKUP-zv-asset_lookup_by_cidr-dest
LOOKUP-zv-asset_lookup_by_cidr-dvc
LOOKUP-zv-asset_lookup_by_cidr-src
String-based identity correlation identities_expanded.csv Identity - Identity Matches - Lookup Gen LOOKUP-zy-identity_lookup_expanded-src_user
LOOKUP-zy-identity_lookup_expanded-user
Default field correlation identity_lookup_default_fields.csv
asset_lookup_default_fields.csv
LOOKUP-zz-asset_identity_lookup_default_fields-dest
LOOKUP-zz-asset_identity_lookup_default_fields-dvc
LOOKUP-zz-asset_identity_lookup_default_fields-src
LOOKUP-zz-asset_identity_lookup_default_fields-src_user
LOOKUP-zz-asset_identity_lookup_default_fields-user
Last modified on 26 August, 2024
How Splunk Enterprise Security processes and merges asset and identity data   Asset and identity fields after processing in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters