- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Whats the best way to verify Identity and Asset framework is properly setup in ES ?
damode
Motivator
12-02-2020
01:16 AM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jhunter
Explorer
12-09-2020
12:41 PM
Another (slightly crude) way is on your fields side bar for sourcetypes that have asset/identity fields (such as user) extracted, you should see the user_ fields with each user header (example: user_email, user_nick, user_first).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jhunter
Explorer
12-09-2020
12:43 PM
For assets I believe these are the src_ fields that match the asset header such as
src_should_update
src_is_expected
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

nickhills
Ultra Champion
12-02-2020
05:23 AM
The easiest way to confirm that you have identities and assets being collected and presented correctly is with the following two searches.
|`identities`
and
|`assets`
If those commands produce complete & well formatted output, then it should be working.
If my comment helps, please give it a thumbs up!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lkutch_splunk

Splunk Employee
12-02-2020
03:21 PM
I agree with nickhillscpl & it's one of the options listed in the doc:
https://docs.splunk.com/Documentation/ES/6.4.0/Admin/Verifyassetandidentitydata
