- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Asset and Identity management multi valued
Identity: 314 assets are currently exceeding the field limits set in the Asset and Identity Management page. Data truncation will occur unless the field limits are increased. Sources: [merge].
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@inayath_khanin1 The above error indicates that during the asset merge process, you have one of the 'key' entries exceeding the multi-value limit setup in the AssetFields page under 'Asset and Identity managent' UI ( you can access in the ES app via Configure -> Data enrichment -> Asset and Identity managent). Look at the all the key fields and the multi-value limit. Additionally, you can also check something like this (pick up any field you want to test, e.g. ip which has a mv limit of 6 by default
|`assets` | eval my_mvcount = count(ip) | stats count by my_mvcount | where my_mvcount > 3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check the lookup contents but you probably hit the issue with some changes after ES upgrade.
In my case I needed to disable merging identities because for some unknown reason it was creating a ridiculous lookup entries
https://docs.splunk.com/Documentation/ES/6.6.0/Admin/Merge
If you have distributed environment, you might not be able to disable merge from webui. Then you need to fiddle with inputs.conf from SA-IdentityManagement app to disable merge of particular set of assets or identities.
