Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

The Asset Center and Identity Center dashboard.

aalhabbash1
Path Finder
‎08-20-2019 01:18 AM

Hi Splunkers;

Before was Asset Center and Identity Center dashboards takes results from assets.csv and identities.csv this is good, Now after update assets.csv and identities.csv the results appeared on those dashboards takes from identities_expanded.csv and assets_by_str.csv.
Why this behavior occurred? and how make it to take results from assests.csv and identities.csv.
Please help us in that.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aalhabbash1
Path Finder
‎08-20-2019 11:07 PM

Hi jawaharas;

Thank you for your reply.
We have 4.7.4 for 'Splunk Enterprise Security' app and 6.6.5 for 'Splunk Enterprise'

And the 'Enable Identity Generation Autoupdate' setting is true already from initial.

But when I set | identity_sources in search the results appeared from identities.csv.

But still the issue existing in Asset Center and Identity Center dashboards in ES, please help me.

Regards;

View solution in original post

0 Karma
Reply
Solved! Jump to solution

jawaharas
Motivator
‎08-21-2019 02:44 AM

Checklist:
1. Verify whether you can view the assets.csv and identities.csv lookup table under 'Identity Management' page and they are categorized as asset and identify respectively.
2. Also, these lookup table should be in 'Enabled' state.
3. If it's still not working add the lookup table entry in below macros (Settings->Advanced Search->Macros)
a) assets.csv to asset_sources macro. Add below code to your macro at the beginning

inputlookup append=t assets |

b) identities.csv to identity_sources macro. 

inputlookup append=t identities |

Note: Lookup definition should be created for your lookup tables for these code to work.

0 Karma
Reply
Solved! Jump to solution

jawaharas
Motivator
‎08-21-2019 07:55 PM

@aalhabbash1
Click Accept on this answer. Not on your own comment pls.

0 Karma
Reply
Solved! Jump to solution

aalhabbash1
Path Finder
‎08-21-2019 04:53 AM

@jawaharas

All the above which you mentioned already existing.

And the issue has been resolved, only I did disable then enable for static_assets and static_identities in Identity Management in ES.

Thank you for your support

0 Karma
Reply
Solved! Jump to solution

jawaharas
Motivator
‎08-21-2019 05:21 AM

Glad it helped you to resolve the issue. Please accept and/or upvote the answer!

0 Karma
Reply
Solved! Jump to solution
Solution

aalhabbash1
Path Finder
‎08-20-2019 11:07 PM

Hi jawaharas;

Thank you for your reply.
We have 4.7.4 for 'Splunk Enterprise Security' app and 6.6.5 for 'Splunk Enterprise'

And the 'Enable Identity Generation Autoupdate' setting is true already from initial.

But when I set | identity_sources in search the results appeared from identities.csv.

But still the issue existing in Asset Center and Identity Center dashboards in ES, please help me.

Regards;

0 Karma
Reply
Solved! Jump to solution

jawaharas
Motivator
‎08-20-2019 11:31 PM

@aalhabbash1

identities_expanded.csv lookup is cumulative output of all identities lookup table configured under ESS. This lookup table is populated the repot 'Identity - Identity Matches - Lookup Gen'. So, ideally it should have entries from identies.csv lookup file as as well.

'Identity - Identity Matches - Lookup Gen' - Report's query:
| identity_sources | make_identities | eval iden_mktime_meval(startDate),iden_mktime_meval(endDate),identity=mvsort(identity) | sort 0 +identity | outputlookup output_format=splunk_mv_csv identity_lookup_expanded

Can you explain about the issue you are facing?

Note: Pls reply to this thread rather posting your response as a new answer.

0 Karma
Reply
Solved! Jump to solution

aalhabbash1
Path Finder
‎08-20-2019 11:48 PM

@jawaharas
The issue which I facing is the Asset Center and Identity Center dashboards in ES displaying results from the default assets and identities lookup table (assets_by_str.csv and identities_expanded.csv) not from the assets and Identity file which I created (assets.csv and identities.csv), I need to display results from (assets.csv and identities.csv) not from (assets_by_str.csv and identities_expanded.csv) how I can obtain that?

and 'Enable Identity Generation Autoupdate' setting already set before.

0 Karma
Reply
Solved! Jump to solution

jawaharas
Motivator
‎08-20-2019 05:48 PM

Make sure you have set below setting as true in 'Configure-->General Settings' configuration page of ESS app.

'Enable Identity Generation Autoupdate'

Because, If true, it permits the Identity Manager to auto-update asset_sources, identity_sources, and generate_identities macros. Also, you can verify the list of lookup table in your identity sources using below macro.

| `identity_sources`

Tip: Use 'Ctrl+Shift+E' (in Windows) to expand the macro and view it's content.

Reference: https://docs.splunk.com/Documentation/ES/5.3.1/Admin/Addassetandidentitydata

0 Karma
Reply
Solved! Jump to solution

jawaharas
Motivator
‎08-20-2019 05:30 PM

Which version of 'Splunk Enterprise Security' app you are using?

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...