Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Whats the best way to verify Identity and Asset framework is properly setup in ES ?

damode
Motivator
‎12-02-2020 01:16 AM
 
0 Karma
Reply

Jhunter
Explorer
‎12-09-2020 12:41 PM

Another (slightly crude) way is on your fields side bar for sourcetypes that have asset/identity fields (such as user) extracted, you should see the user_ fields with each user header (example: user_email, user_nick, user_first). 

0 Karma
Reply

Jhunter
Explorer
‎12-09-2020 12:43 PM

For assets I believe these are the src_ fields that match the asset header such as

src_should_update

src_is_expected

0 Karma
Reply

nickhills
Ultra Champion
‎12-02-2020 05:23 AM

The easiest way to confirm that you have identities and assets being collected and presented correctly is with the following two searches.

 

 

|`identities`
and
|`assets`

 

 

If those commands produce complete & well formatted output, then it should be working. 

If my comment helps, please give it a thumbs up!
Reply

lkutch_splunk
Splunk Employee
Splunk Employee
‎12-02-2020 03:21 PM

I agree with nickhillscpl & it's one of the options listed in the doc: 

https://docs.splunk.com/Documentation/ES/6.4.0/Admin/Verifyassetandidentitydata

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...