Splunk Enterprise Security

Assets Exceeding Field Limits, Source: [merge]


Been getting messages saying that some identities are exceeding the field limits. I've increased the limit on some of them, but I'm having difficulty finding the exact field that is causing this issue. Is there a way to find the exact instance where this limit is being exceeded?

  • Identity: 25 assets are currently exceeding the field limits set in the Asset and Identity Management page. Data truncation will occur unless the field limits are increased. Sources: [merge].
Labels (2)
0 Karma

Re: Assets Exceeding Field Limits, Source: [merge]


I'm getting the same error messages. Can't figure out what exactly is causing them. I've tried this search (and variations of it).

| inputlookup asset_lookup_by_str | stats values(dns) dc(dns) as dc by ip | sort limit=0 -dc

Also, I think that DHCP can cause troubles with the asset lists i Splunk ES. 

Check out this thread as well: https://community.splunk.com/t5/Splunk-Enterprise-Security/Assets-with-overlapping-DHCP-Addresses-Me...

Have you found any better solution than my search above?

0 Karma