Splunk: Asset and Identity Framework

Merge for Assets or IdentitiesPermalink

If you disable the merge, only the first asset found will be correlated.

# For example, the asset_lookup_by_str lookup in transforms.conf has max_matches = 1.
# So, the first host it matches in the assets_by_str collection is the only one you'll see in your search results.

Show All AssetsPermalink

# Option 1
| `datamodel("Identity_Management", "All_Assets")`
| rename All_Assets.* as *

# Option 2
| `assets`

TroubleshootingPermalink

index=_internal sourcetype="identity_correlation:merge" source=*entity_merge.log*

sourcePermalink

Splunk Bloom Filter
Field Summary Command Overview
About Event Segmentation
Event Segmentation and Searching
Commands by Type

You may also enjoy

Splunk: Baselining

A guide to statistical measures in Splunk for baselining and anomaly detection.

Splunk4Admins

Access ESP32 with upysh