Splunk Enterprise Security

Asset and Identity management multi valued

inayath_khanin1
Explorer

Identity: 314 assets are currently exceeding the field limits set in the Asset and Identity Management page. Data truncation will occur unless the field limits are increased. Sources: [merge].

0 Karma

lakshman239
Influencer

@inayath_khanin1   The above error indicates that during the asset merge process, you have one of the 'key' entries exceeding the multi-value limit setup in the AssetFields page under 'Asset and Identity managent' UI ( you can access  in the ES app via Configure -> Data enrichment -> Asset and Identity managent).  Look at the all the key fields and the multi-value limit. Additionally, you can also check something like this (pick up any field you want to test, e.g. ip which has a mv limit of 6 by default

 

|`assets` | eval my_mvcount = count(ip) | stats count by my_mvcount | where my_mvcount > 3

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Check the lookup contents but you probably hit the issue with some changes after ES upgrade.

In my case I needed to disable merging identities because for some unknown reason it was creating a ridiculous lookup entries

https://docs.splunk.com/Documentation/ES/6.6.0/Admin/Merge

If you have distributed environment, you might not be able to disable merge from webui.  Then you need to fiddle with inputs.conf from SA-IdentityManagement app to disable merge of particular set of assets or identities.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...