Skip to content

Splunk Add-on for Admon Enrichment (SA-admon) Troubleshooting Guide

⋅⋅ ES > Configure > Data Enrichment > Asset & Identity Management > Search Preview

Firstly, run through the preview searches to look for issues within the merged data. This step is especially important when merging multiple different lookup sources. The preview searches can be copied from the search preview tab within A&I.

Search Preview

Merging Issues

Merging is returning more results than expected

  • Check the fields are named correctly

Merging is occurring on unintentional field values, like an unknown MAC address

  • Add an exclusion for the unknown value

Search preview looks fine however the lookup does not

  • Your changes have worked, reset the collections

Identify merging errors

  • index=_internal source=*entity*.log

Raw logs not being enriched

Ensure A&I Lookups are enabled

⋅⋅⋅ ES > Configure > Data Enrichment > Asset & Identity Management > Correlation Setup

Correlation Setup

Lookup may contain incorrect values in the listed fields

  • Asset Lookups: ip, mac, nt_host, dns
  • Identity Lookup: identity (ensure the values are all being merged to the identity field from desired source fields, i.e. email, sAMAccountName, userPrincipalName, downLevelDomainName)

Raw events may not have correctly named fields which match a value in the asset / identity field

  • Asset Fields: src, dest, dvc
  • Identity: user, src_user
  • Note the field names all need to be named exactly as above

Overlapping Naming Conventions and IP Addressing Schemes