Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is assets_by_cidr.csv lookup file empty?

EssKay
Engager
‎03-20-2024 04:34 PM

As I was going through the Asset and Identity Management manual, I couldn't see anything related to how to enrich the two lookup files assets_by_cidr.csv and assets_by_str.csv. For some reason (I couldn't figure out why), the assets_by_str.csv is filled with data and is populating data when running any search. However, nothing is getting fetched to assets_by_cidr.csv, I'm not sure if this is supposed to be filled automatically? and I can't find any configuration that associates where these two CSVs are taking the data from... 

 

I can only see that they're coming from the app SA-IdentityManagement, can someone please help in troubleshooting this? Where are these two lookup table expected to get the data from and how?

Lastly, to give more context, the final purpose it to fulfill the request of data enrichment for this specific use case Detect Large Outbound ICMP Packets...

Tags (2)
0 Karma
Reply

kprior201
Path Finder
‎04-11-2024 01:11 PM

These lookups get their information from configured asset lookups within Enterprise Security, as you linked. They're populated automatically  Do your asset lookups have CIDR information included in them? If the string lookup is populating, then you have some kind of assets configured. If you have a dev environment experiencing this problem, you might try enabling the demo_asset_lookup in the Asset and Identity Management page to see if it populates the CIDR one automatically. It has CIDR networks properly built into it.

The best official documentation I came across in my search was https://docs.splunk.com/Documentation/ES/7.3.1/Admin/Howassetandidentitydataprocessed

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...