Splunk Enterprise Security

Enterprise Security - Lists & Lookups Data Ignored

Path Finder

Is there a way to ignore additional field data populated from anything other than Lists and Lookups data within ES?

I'm wanting to populate asset data such as 'buint' using Lists and Lookups, but something else is overriding it and so no matter what I add to Lists and Lookups, the field data I've manually added isn't there. It's data from somewhere else but I don't know where, just that it's not coming from the system being logged.

But I don't know what or how it's being overwritten and how I can get ES to only look at its own Lists and Lookups and nothing else.

0 Karma
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...