Splunk: Asset and Identity Framework

Merge for Assets or Identities

If you disable the merge only the first asset found will be correlated.

"For example, the asset_lookup_by_str lookup in transforms.conf has max_matches = 1, so the first host it matches in the assets_by_str collection is the only one you'll see in your search results."

show all assets

´´´bash

1

|datamodel("Identity_Management", "All_Assets") | rename All_Assets.* as *

2

| assets ´´´

Troubleshooting

index=_internal sourcetype="identity_correlation:merge" source=*entity_merge.log*

Splunk: Asset and Identity Framework

Merge for Assets or Identities

show all assets

1

2

Troubleshooting

source

You may also enjoy

Splunk4Admins

Mastering Field Extraction in Splunk: Quick Guide

Mastering the Tstats Command in Splunk