Splunk: Asset and Identity Framework

Posted Nov 19, 2024 Updated May 10, 2025

By Steh

1 min read

Merge for Assets or Identities

If you disable the merge, only the first asset found will be correlated.

# For example, the asset_lookup_by_str lookup in transforms.conf has max_matches = 1.
# So, the first host it matches in the assets_by_str collection is the only one you'll see in your search results.

Show All Assets

  
# Option 1
| `datamodel("Identity_Management", "All_Assets")`
| rename All_Assets.* as *

# Option 2
| `assets`

Troubleshooting

  
index=_internal sourcetype="identity_correlation:merge" source=*entity_merge.log*

References

Splunk Bloom Filter
Field Summary Command Overview
About Event Segmentation
Event Segmentation and Searching
Commands by Type

splunk, tools, Information Security

splunk

This post is licensed under CC BY 4.0 by the author.

Merge for Assets or Identities

Show All Assets

Troubleshooting

References

Trending Tags