Splunk Enterprise Security

Whats the best way to verify Identity and Asset framework is properly setup in ES ?

damode
Motivator
0 Karma

Jhunter
Explorer

Another (slightly crude) way is on your fields side bar for sourcetypes that have asset/identity fields (such as user) extracted, you should see the user_ fields with each user header (example: user_email, user_nick, user_first). 

0 Karma

Jhunter
Explorer

For assets I believe these are the src_ fields that match the asset header such as

src_should_update

src_is_expected

0 Karma

nickhills
Ultra Champion

The easiest way to confirm that you have identities and assets being collected and presented correctly is with the following two searches.

 

 

|`identities`
and
|`assets`

 

 

If those commands produce complete & well formatted output, then it should be working. 

If my comment helps, please give it a thumbs up!

lkutch_splunk
Splunk Employee
Splunk Employee

I agree with nickhillscpl & it's one of the options listed in the doc: 

https://docs.splunk.com/Documentation/ES/6.4.0/Admin/Verifyassetandidentitydata

0 Karma
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...