Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to remove asset data?

khagan
Path Finder
‎07-29-2016 03:35 AM

I've configured my own asset list, and now I want to stop asset information from the "demo assets" lookup from showing up in Dashboards, searches, etc. I've disabled the asset in the ES configuration, but it hasn't had any effect. How can I get rid of this junk data?

0 Karma
Reply

hardikJsheth
Motivator
‎07-29-2016 05:31 AM

I aggree with rynoconnor's second answer.

The asset and identities are in a lookup file. Whatever new lookups are added as identity or asset, ES will merged data into the existing lookup file rather than overwriting.

For this purpose, if you want to remove demo assets, you should empty asset_lookup_by_str.csv and asset_lookup_by_cidr.csv files. These files can be found in SA-IdentityManagement/lookups folder.

Reply

ryanoconnor
Builder
‎07-29-2016 04:58 AM

I know in version 4.1.0 assets get merged into two files. You can search both of those using the following:

|inputlookup append=T asset_lookup_by_str | inputlookup append=t asset_lookup_by_cidr_raw

This will confirm if your demo assets are still in the merged file. I would recommend backing up the file first, but you could empty this file and it would rebuild upon next merge.

I know a similar set of files (possibly the same ones) exists in earlier versions of ES.

Ryan

Reply

khagan
Path Finder
‎07-29-2016 08:05 AM

So this worked, but now my own asset lists aren't merging back in - the files are just empty. I've tried to force the merge:
$SPLUNK_HOME/bin/splunk cmd splunkd print-modinput-config identity_manager | $SPLUNK_HOME/bin/python $SPLUNK_HOME/etc/apps/SA-IdentityManagement/bin/identity_manager.py --username=admin

Still when I search for assets, it now returns 0 results. Am I missing a step?

0 Karma
Reply

hardikJsheth
Motivator
‎07-29-2016 09:28 AM

Do you have empty file ? Keep the files with header lines.

0 Karma
Reply

khagan
Path Finder
‎07-29-2016 09:29 AM

The file still has the headers:
key,asset_id,asset_tag,bunit,category,city,country,dns,ip,is_expected,lat,long,mac,nt_host,owner,pci_domain,priority,requires_av,should_timesync,should_update

0 Karma
Reply

ryanoconnor
Builder
‎07-29-2016 04:44 AM

Have you tried disabling the demo assets and waiting for the merge process to run?

http://docs.splunk.com/Documentation/ES/4.2.0/User/Identitymanagement#Verify_the_merging_process

0 Karma
Reply

khagan
Path Finder
‎07-29-2016 04:45 AM

Yes, as mentioned I've disabled the demo assets. I've also forced the merge, and nothing has happened.

0 Karma
Reply

ryanoconnor
Builder
‎07-29-2016 04:54 AM

What version of ES are you running?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...