Re: Whats the best way to verify Identity and Asse...

damode · ‎12-02-2020

Jhunter · ‎12-09-2020

Another (slightly crude) way is on your fields side bar for sourcetypes that have asset/identity fields (such as user) extracted, you should see the user_ fields with each user header (example: user_email, user_nick, user_first).

Jhunter · ‎12-09-2020

For assets I believe these are the src_ fields that match the asset header such as

src_should_update

src_is_expected

nickhills · ‎12-02-2020

The easiest way to confirm that you have identities and assets being collected and presented correctly is with the following two searches.

|`identities`
and
|`assets`

If those commands produce complete & well formatted output, then it should be working.

If my comment helps, please give it a thumbs up!

lkutch_splunk · ‎12-02-2020

I agree with nickhillscpl & it's one of the options listed in the doc:

https://docs.splunk.com/Documentation/ES/6.4.0/Admin/Verifyassetandidentitydata

Whats the best way to verify Identity and Asset framework is properly setup in ES ?

administration

configuration

using Enterprise Security

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I

Are you a member of the Splunk Community?