Splunk® Enterprise Security

Administer Splunk Enterprise Security

Splunk Enterprise Security (ES) versions 6.0.0, 6.0.1, and 6.3.0 are no longer available for download from Splunkbase as of April 15, 2021. Please upgrade to the latest version of Splunk Enterprise Security to avoid any potential issues with Assets and Identity management.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Overwrite asset or identity data with entitymerge in Splunk Enterprise Security

After you add assets and identities to Splunk Enterprise Security, you can use the entitymerge command to merge or overwrite asset or identity data based on matched foreign keys. See Add asset and identity data to Splunk Enterprise Security.

The purpose of the command is to merge assets or identities based on key fields. The intention is to take multiple rows of assets or identities with duplicate information in the key fields, pipe them to the entitymerge command, and merge them into a single asset or identity.

Description

Use the entitymerge command to merge or overwrite asset or identity data based on matched key fields. Primarily, you use it by default in the Search Preview tab of Asset and Identity Management. You can use it manually for debugging. See Search Preview.

Syntax

entitymerge <entitymerge-target>

Required arguments

entitymerge-target

Syntax: [asset|identity]
Description: Required target of the entitymerge command.

Example

You can see examples of the entitymerge command in the Search Preview tab of Asset and Identity Management.

One example is the search preview for asset_lookup_by_str, the asset table that uses string matching to enrich events:

| `add_entity_source("demo_asset_lookup","demo_assets")` | `add_entity_source("frothly_assets_2018","frothly_assets_2018")` | `add_entity_source("seckit_idm_assets_aws_ec2","frothly_aws_assets_2018")` | `add_entity_source("simple_asset_lookup","static_assets")` | table "_source","cim_entity_zone","bunit","category","city","country","dns","ip","is_expected","lat","long","mac","nt_host","owner","pci_domain","priority","requires_av","should_timesync","should_update" | `make_ip_str` | inputlookup append=T "asset_lookup_by_str" | entitymerge "asset"

To see an example of the merge behavior when enabled versus disabled, see Example.

For more information about merge behavior after upgrading to Enterprise Security 6.0 and higher, see Manage asset and identity upon upgrade.

For a high-level overview of processing and merging, see How Splunk Enterprise Security processes and merges asset and identity data.

Last modified on 22 November, 2021
Modify asset and identity lookups   Add threat intelligence to Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters