Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Whats the best way to verify Identity and Asset framework is properly setup in ES ?

damode
Motivator
‎12-02-2020 01:16 AM
 
0 Karma
Reply

Jhunter
Explorer
‎12-09-2020 12:41 PM

Another (slightly crude) way is on your fields side bar for sourcetypes that have asset/identity fields (such as user) extracted, you should see the user_ fields with each user header (example: user_email, user_nick, user_first). 

0 Karma
Reply

Jhunter
Explorer
‎12-09-2020 12:43 PM

For assets I believe these are the src_ fields that match the asset header such as

src_should_update

src_is_expected

0 Karma
Reply

nickhills
Ultra Champion
‎12-02-2020 05:23 AM

The easiest way to confirm that you have identities and assets being collected and presented correctly is with the following two searches.

 

 

|`identities`
and
|`assets`

 

 

If those commands produce complete & well formatted output, then it should be working. 

If my comment helps, please give it a thumbs up!
Reply

lkutch_splunk
Splunk Employee
Splunk Employee
‎12-02-2020 03:21 PM

I agree with nickhillscpl & it's one of the options listed in the doc: 

https://docs.splunk.com/Documentation/ES/6.4.0/Admin/Verifyassetandidentitydata

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New in Splunk Cloud Platform 9.1.2308?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2308! Analysts can ...

Index This | Why do they call it hyper text?

November 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

For the past three years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...