- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- How to remove asset data?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to remove asset data?
I've configured my own asset list, and now I want to stop asset information from the "demo assets" lookup from showing up in Dashboards, searches, etc. I've disabled the asset in the ES configuration, but it hasn't had any effect. How can I get rid of this junk data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I aggree with rynoconnor's second answer.
The asset and identities are in a lookup file. Whatever new lookups are added as identity or asset, ES will merged data into the existing lookup file rather than overwriting.
For this purpose, if you want to remove demo assets, you should empty asset_lookup_by_str.csv and asset_lookup_by_cidr.csv files. These files can be found in SA-IdentityManagement/lookups folder.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know in version 4.1.0 assets get merged into two files. You can search both of those using the following:
|inputlookup append=T asset_lookup_by_str | inputlookup append=t asset_lookup_by_cidr_raw
This will confirm if your demo assets are still in the merged file. I would recommend backing up the file first, but you could empty this file and it would rebuild upon next merge.
I know a similar set of files (possibly the same ones) exists in earlier versions of ES.
Ryan
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So this worked, but now my own asset lists aren't merging back in - the files are just empty. I've tried to force the merge:
$SPLUNK_HOME/bin/splunk cmd splunkd print-modinput-config identity_manager | $SPLUNK_HOME/bin/python $SPLUNK_HOME/etc/apps/SA-IdentityManagement/bin/identity_manager.py --username=admin
Still when I search for assets, it now returns 0 results. Am I missing a step?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have empty file ? Keep the files with header lines.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The file still has the headers:
key,asset_id,asset_tag,bunit,category,city,country,dns,ip,is_expected,lat,long,mac,nt_host,owner,pci_domain,priority,requires_av,should_timesync,should_update
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried disabling the demo assets and waiting for the merge process to run?
http://docs.splunk.com/Documentation/ES/4.2.0/User/Identitymanagement#Verify_the_merging_process
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, as mentioned I've disabled the demo assets. I've also forced the merge, and nothing has happened.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What version of ES are you running?
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
