#
Asset Merge
It is possible that some of your devices share a common key field (dns, ip, mac, nt_host) that is causing an erroneous merge of your assets. There are a few ways to overcome this:
Asset Merge Problem Scenario Default merge Expected behavior
Solutions Disable Asset Merging Update Asset Key Fields
#
Problem Scenario
Consider you have the following assets:
Since these two systems share the same IP they will be merged into a single asset by default.
#
Default merge
#
Expected behavior
see next section to accomplish this expected behavior
#
Solutions
#
Disable Asset Merging
If CrowdStrike is your only data source for assets, you can disable asset merge in the global settings.
This is not recommended if you have more than one asset list configured (see next section)
- In Enterprise Security navigate to Configure > Data Enrichment > Asset and Identity Management > Global Settings.
- Toggle off "Assets" under
Enable Merge for Assets or Identities.
Changes should reflect the next time the Asset database builds (usually 5-10 minutes).
*For more information, see Splunk Docs.
#
Update Asset Key Fields
If you have more than one asset list configured you can look at disabling the common key field to prevent the default merging behavior.
In most cases, the IP field will be field that needs to disabled as the key field.
- (In Enterprise Security) Navigate to Configure > Data Enrichment > Asset and Identity Management.
- Select the "Asset Fields" Tab.
- Select the
ipfield (or the field you want to disable) and "uncheck" it from being a Key.
Changes should reflect the next time the Asset database builds (usually 5-10 minutes).