Are you a member of the Splunk Community?
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- The Asset Center and Identity Center dashboard.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Splunkers;
Before was Asset Center and Identity Center dashboards takes results from assets.csv and identities.csv this is good, Now after update assets.csv and identities.csv the results appeared on those dashboards takes from identities_expanded.csv and assets_by_str.csv.
Why this behavior occurred? and how make it to take results from assests.csv and identities.csv.
Please help us in that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi jawaharas;
Thank you for your reply.
We have 4.7.4 for 'Splunk Enterprise Security' app and 6.6.5 for 'Splunk Enterprise'
And the 'Enable Identity Generation Autoupdate' setting is true already from initial.
But when I set | identity_sources in search the results appeared from identities.csv.
But still the issue existing in Asset Center and Identity Center dashboards in ES, please help me.
Regards;
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Checklist:
1. Verify whether you can view the assets.csv and identities.csv lookup table under 'Identity Management' page and they are categorized as asset and identify respectively.
2. Also, these lookup table should be in 'Enabled' state.
3. If it's still not working add the lookup table entry in below macros (Settings->Advanced Search->Macros)
a) assets.csv to asset_sources macro. Add below code to your macro at the beginning
inputlookup append=t assets |
b) identities.csv to identity_sources macro.
inputlookup append=t identities |
Note: Lookup definition should be created for your lookup tables for these code to work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@aalhabbash1
Click Accept on this answer. Not on your own comment pls.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All the above which you mentioned already existing.
And the issue has been resolved, only I did disable then enable for static_assets and static_identities in Identity Management in ES.
Thank you for your support
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad it helped you to resolve the issue. Please accept and/or upvote the answer!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi jawaharas;
Thank you for your reply.
We have 4.7.4 for 'Splunk Enterprise Security' app and 6.6.5 for 'Splunk Enterprise'
And the 'Enable Identity Generation Autoupdate' setting is true already from initial.
But when I set | identity_sources in search the results appeared from identities.csv.
But still the issue existing in Asset Center and Identity Center dashboards in ES, please help me.
Regards;
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
identities_expanded.csv lookup is cumulative output of all identities lookup table configured under ESS. This lookup table is populated the repot 'Identity - Identity Matches - Lookup Gen'. So, ideally it should have entries from identies.csv lookup file as as well.
'Identity - Identity Matches - Lookup Gen' - Report's query:
| identity_sources | make_identities | eval iden_mktime_meval(startDate),iden_mktime_meval(endDate),identity=mvsort(identity) | sort 0 +identity | outputlookup output_format=splunk_mv_csv identity_lookup_expanded
Can you explain about the issue you are facing?
Note: Pls reply to this thread rather posting your response as a new answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jawaharas
The issue which I facing is the Asset Center and Identity Center dashboards in ES displaying results from the default assets and identities lookup table (assets_by_str.csv and identities_expanded.csv) not from the assets and Identity file which I created (assets.csv and identities.csv), I need to display results from (assets.csv and identities.csv) not from (assets_by_str.csv and identities_expanded.csv) how I can obtain that?
and 'Enable Identity Generation Autoupdate' setting already set before.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Make sure you have set below setting as true in 'Configure-->General Settings' configuration page of ESS app.
'Enable Identity Generation Autoupdate'
Because, If true, it permits the Identity Manager to auto-update asset_sources, identity_sources, and generate_identities macros. Also, you can verify the list of lookup table in your identity sources using below macro.
| `identity_sources`
Tip: Use 'Ctrl+Shift+E' (in Windows) to expand the macro and view it's content.
Reference: https://docs.splunk.com/Documentation/ES/5.3.1/Admin/Addassetandidentitydata
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which version of 'Splunk Enterprise Security' app you are using?
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
Data Persistence in the OpenTelemetry Collector
Thanks for the Memories! Splunk University, .conf25, and our Community
