Splunk Add-on for Admon Enrichment (SA-admon) Troubleshooting Guide¶
⋅⋅ ES > Configure > Data Enrichment > Asset & Identity Management > Search Preview
Firstly, run through the preview searches to look for issues within the merged data. This step is especially important when merging multiple different lookup sources. The preview searches can be copied from the search preview tab within A&I.
Merging Issues¶
Merging is returning more results than expected¶
- Check the fields are named correctly
Merging is occurring on unintentional field values, like an unknown MAC address¶
- Add an exclusion for the unknown value
Search preview looks fine however the lookup does not¶
- Your changes have worked, reset the collections
Identify merging errors¶
index=_internal source=*entity*.log
Raw logs not being enriched¶
Ensure A&I Lookups are enabled¶
⋅⋅⋅ ES > Configure > Data Enrichment > Asset & Identity Management > Correlation Setup
Lookup may contain incorrect values in the listed fields¶
- Asset Lookups: ip, mac, nt_host, dns
- Identity Lookup: identity (ensure the values are all being merged to the identity field from desired source fields, i.e. email, sAMAccountName, userPrincipalName, downLevelDomainName)
Raw events may not have correctly named fields which match a value in the asset / identity field¶
- Asset Fields: src, dest, dvc
- Identity: user, src_user
- Note the field names all need to be named exactly as above
Overlapping Naming Conventions and IP Addressing Schemes¶
- Enable Entity Zones