![]() ![]() Turning off prevents the contents of the corresponding list from being included in the merge process. Turning off an input does not delete the data from the associated lookup from Splunk Enterprise Security. You can turn off or turn on an asset lookup input. Make sure that the information in your key fields either belongs to the same asset or does not overlap. ![]() If you store extra information in your key fields, such as the same IP address assigned to multiple systems, these duplicate IP addresses are now merged together as one asset. Key fields are dns, ip, mac, and nt_host. The merge process combines all the values into the field, and then removes the duplicates. Ranking is not considered for a multivalue field field. When finished reordering, click Save Ranking.Drag and drop the rows of the table into a new order.To change the rank, do the following from the Asset Lookup tab: ![]() The row at the top of the list takes precedence and the merge process uses that value, as opposed to the row that's ranked second. For example, If you're merging two assets and they both have the is_expected field value, you need to choose one to take precedence. These are the fields where the rank takes effect. By default, the single value asset fields are as follows: If an asset exists in multiple source files as a single value or exists multiple times in the same source file, this ranking is the weighted order for merging them. You can rank the order of this list to determine priority for merging assets. You might use this in the case where you have a field in your source file that you don't want to rely on for information.Īny new asset list gets added to the bottom of the list by default. This excludes the fields and those values from the KV store collections for that particular lookup.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |