Turn off merge for assets and identities in
The merge process is turned on for assets and identities by default. However, in situations when you have a source file with duplication in the key fields, and you can't groom the file to make sure that the information belongs to the same asset or identity, then you have the option to turn off the merge process.
Prerequisites
Perform the following prerequisite tasks before starting on these settings:
- Collect and extract asset and identity data in Splunk Enterprise Security.
- Format an asset or identity list as a lookup in Splunk Enterprise Security.
- Configure a new asset or identity list in Splunk Enterprise Security.
Turn off the merge process
Use the global settings to turn off or turn on merge as follows:
- From the menu bar, select Configure, then Datasets, then Assets and identities.
- Select the Global settings tab.
- Scroll to the Activate / Turn on Merge for Assets or Identities panel.
- Use the toggle to turn on or turn off for Assets or Identities.
Example
Using assets as an example, consider a source file with duplicates in the key field of nt_host
, such as the following:
ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av
192.0.2.2,,host1,,,,,,,,,,,,,,
192.0.2.120,,host1,,,,,,,,,,,,,,
192.0.2.135,,host1,,,,,,,,,,,,,,
192.0.2.242,,host2,,,,,,,,,,,,,,
192.0.2.65,,host2,,,,,,,,,,,,,,
The default is to merge the three rows with nt_host
of host1
into one asset, and merge the two rows with host2
into another asset.
asset | ip | nt_host | pci_domain |
---|---|---|---|
192.0.2.2 192.0.2.120 |
192.0.2.2 192.0.2.120 |
host1 | untrust |
192.0.2.242 192.0.2.65 |
192.0.2.242 192.0.2.65 |
host2 | untrust |
If you turn off the merge, then the collection remains the same as the source file, and assets are not merged.
asset | ip | nt_host | pci_domain |
---|---|---|---|
192.0.2.2 host1 |
192.0.2.2 | host1 | untrust |
192.0.2.120 host1 |
192.0.2.120 | host1 | untrust |
192.0.2.135 host1 |
192.0.2.135 | host1 | untrust |
192.0.2.242 host2 |
192.0.2.242 | host2 | untrust |
192.0.2.65 host2 |
192.0.2.65 | host2 | untrust |
When you do a lookup on an non-merged collection, there is no context for how to resolve the overlapping key field values. For example, the asset_lookup_by_str lookup in transforms.conf has max_matches = 1
, so the first host it matches in the assets_by_str collection is the only one you'll see in your search results.
Reset asset and identity collections immediately in | Turn on entity zones for assets and identities in |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!