Asset and Identity management multi valued

inayath_khanin1 · ‎09-01-2021

Identity: 314 assets are currently exceeding the field limits set in the Asset and Identity Management page. Data truncation will occur unless the field limits are increased. Sources: [merge].

lakshman239 · ‎09-03-2021

@inayath_khanin1 The above error indicates that during the asset merge process, you have one of the 'key' entries exceeding the multi-value limit setup in the AssetFields page under 'Asset and Identity managent' UI ( you can access in the ES app via Configure -> Data enrichment -> Asset and Identity managent). Look at the all the key fields and the multi-value limit. Additionally, you can also check something like this (pick up any field you want to test, e.g. ip which has a mv limit of 6 by default

|`assets` | eval my_mvcount = count(ip) | stats count by my_mvcount | where my_mvcount > 3

PickleRick · ‎09-02-2021

Check the lookup contents but you probably hit the issue with some changes after ES upgrade.

In my case I needed to disable merging identities because for some unknown reason it was creating a ridiculous lookup entries

https://docs.splunk.com/Documentation/ES/6.6.0/Admin/Merge

If you have distributed environment, you might not be able to disable merge from webui. Then you need to fiddle with inputs.conf from SA-IdentityManagement app to disable merge of particular set of assets or identities.

Asset and Identity management multi valued

incident review

notable event

using Enterprise Security

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

Explore the Latest Educational Offerings from Splunk (November Releases)

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...