How to periodically clean the Splunk ES asset list?

hettervik — Wed, 11 Feb 2026 12:27:38 GMT

In Splunk ES there is an asset list, "asset_lookup_by_str". This list contains the output from merging asset list input lookups. This merging process is happening "under the hood" in Splunk ES, it's not a normal saved search (even though part of the process seems to be the running of a search with the "entitymerge" command).

Typically, over time this merged asset list will collect outdated information, e.g. DNS names no longer in use. Also, with dynamic IPs on assets, this quickly creates strangeness in the list. There is no good out-of-the-box solution for dealing with this, as far as I know. The only solution that is provided by Splunk ES, is to use the "Reset collections" button on the "Asset and Identity management" page, which will delete the whole asset list, and let it be rebuilt with fresh data from your input asset lookups (see attached screenshot).

My question is thus, to make sure the asset list in Splunk ES is updated and free of junk, how can you periodically reset the list?

One would think that there was a REST endpoint you could use to trigger "reset collections", but I cannot find any. Under are some other possible solutions that I've tested, but can not get to work

Deleting the asset list with "outputlookup":

| outputlookup "asset_lookup_by_str"

Running the command above would indeed delete the list (make it empty). However, the asset list framework in Splunk ES will not "notice" that the list is deleted, and thus not rebuild it. It seems that clicking the "Reset collections" button in the GUI also updates some checkpoint, which triggers a rebuild. I've found no way of manually duplicate this "checkpoint update" behaviour.

Deleting the asset list with "outputlookup", and rebuilding it manually with "entitymerge":

You might suggest that I could delete the list manually, and rebuild it with the enitymerge command. The search for this is even pre-created and ready for use in the "Asset and Identity management" pages. However, the input asset lookups are hardcoded in the search, meaning that in the future, if you add or remove input asset lookups, the search need to updated as well. This does not seem like a good long term solution. Automatically updating the search based on the input asset lookups seems to require custom scripts, and would be complicated.

Deleting the asset list with the "identdelete" command:

| identdelete collection="assets_by_str"

The "identdelete" is a undocumented command in Splunk, but looking at the internal logs when using the "Reset collections" button, you can find it. It seems from the name of the command that it might be useful, but I've found that it in fact does nothing. See example of the ootb identdelete search that is run when clicking "Reset collections" below (in this case for the asset CIDR list, but it's the same).

| `add_entity_source("frothly_aws_assets_2018","frothly_aws_assets_2018")` 
| `add_entity_source("frothly_assets_2018","frothly_assets_2018")` 
| table "_source","cim_entity_zone","bunit","category","city","country","dns","ip","is_expected","lat","long","mac","nt_host","owner","pci_domain","priority","requires_av","should_timesync","should_update" 
| `make_ip_cidr` 
| inputlookup append=T "asset_lookup_by_cidr" 
| entitymerge "asset" 
| outputlookup append=T "asset_lookup_by_cidr" 
| head 1 
| identdelete collection="assets_by_cidr"

Manually clicking the "Reset collections" button:

This is not a feasible solution.

Re: How to periodically clean the Splunk ES asset list?

hettervik — Mon, 09 Mar 2026 11:07:09 GMT

We've found a way to automate a delete and rebuild of the Splunk ES asset list. We checked with Splunk Support, and as of this post, there is no endpoint you can use to trigger "Reset collections". However, we've learned that Splunk ES triggers a rebuild of the asset list "asset_lookup_by_str" when new information is available in any of the input lookup asset lists. So, we've made a job that delete "asset_lookup_by_str", and then updates a dummy lookup with a dummy asset, to trigger a asset list rebuild. See steps below.

Step 1: Create a dummy asset lookup input:

Create a new lookup file CSV named "dummy_asset_list.csv" (or something like that)
Create a corresponding lookup definition "dummy_asset_list"
Add the lookup "dummy_asset_list" as an asset list input in the Splunk ES asset framework

Step 2: Schedule the following job:

| outputlookup asset_lookup_by_str
| table ip,mac,nt_host,dns,owner,priority,lat,long,city,country,bunit,category,pci_domain,is_expected,should_timesync,should_update,requires_av
| append [| makeresults | eval dns="dummyasset_updated:"+tostring(now()) | table dns]
| outputlookup dummy_asset_list.csv

Explanation: The job deletes "asset_lookup_by_str" with the outputlookup command, and then overwrites the dummy asset list input with a new dummy asset, containing an epoch timestamp in the name for uniqueness. The "new asset updates" background check from ES runs on a 5 minute interval, meaning that the asset list "asset_lookup_by_str" will be rebuild in at most 5 minutes.

topic How to periodically clean the Splunk ES asset list? in Splunk Enterprise Security

How to periodically clean the Splunk ES asset list?

Re: How to periodically clean the Splunk ES asset list?