Docs Latest (#42)

- Updated docs versions. - Added troubleshooting guide for Asset merging.
splunk · Feb 18, 2023 · 4f542c9 · 4f542c9
2 parents 21de332 + 0fbcf14
commit 4f542c9
Show file tree

Hide file tree

Showing 4 changed files with 61 additions and 3 deletions.
diff --git a/docs/assets/asset-key-field.png b/docs/assets/asset-key-field.png
diff --git a/docs/requirements.txt b/docs/requirements.txt
@@ -1,5 +1,5 @@
 mkdocs==1.4.2
-mkdocs-material==9.0.6
+mkdocs-material==9.0.12
 mkdocs-git-revision-date-localized-plugin==1.1.0
 mkdocs-minify-plugin==0.6.2
 mkdocs-glightbox==0.3.1
diff --git a/docs/troubleshooting/index.md b/docs/troubleshooting/index.md
@@ -4,5 +4,5 @@ There can be many issues when setting up a new app/add-on in Splunk. Below highl
 
 Issue | Description | Solution
 ----- | ----------- | --------
-Multiple asset merge | It is possible that some of your devices share a common mac address or another key field which will cause merging by default. | If Crowdstrike is your only asset source you can disable asset merge under global settings. See [Asset Merge Solution](./solution-guides/asset-merge) for more information.
+Multiple asset merge | It is possible that some of your devices share a common key field (`dns`, `ip`, `mac`, `nt_host`) which will cause merging by default. |See the [Asset Merge Solutions](./solution-guides/asset-merge) for ways to improve the merging behavior.
 Asset Database not populating with Crowdstrike Data | The asset database may show no Crowdstrike data if the initial search has not run to build the asset database or the default macro has not been updated. | Verify the default macro has the correct index definition (see [Update Default Macro](/quickstart/quickstart/#update-default-macro)). Also see [Force build](/quickstart/quickstart/#force-initial-build) to build the Crowdstrike assets lookup before the first scheduled run.
diff --git a/docs/troubleshooting/solution-guides/asset-merge.md b/docs/troubleshooting/solution-guides/asset-merge.md
@@ -1,6 +1,64 @@
 # Asset Merge
 
-It may be possible that your devices share a common mac address or another key field that is causing an erroneous merge of your assets. If Crowdstrike is your only data source for assets, you can disable asset merge in the global settings.
+ It is possible that some of your devices share a common key field (`dns`, `ip`, `mac`, `nt_host`) that is causing an erroneous merge of your assets. There are a few ways to overcome this:
+
+- [Disable Asset merging](#disable-asset-merging)
+- [Update Asset key fields](#update-asset-key-fields)
+
+## Problem Scenario
+
+Consider you have the following assets:
+
+Host | dns | ip | mac | nt_host
+---- | --- | -- | --- | -------
+host1 | host1.local | ==10.0.34.9== | 77:61:f5:cb:33:a7 | host1
+host2 | host2.local | ==10.0.34.9== | a5:e7:5c:39:77:d1 | host2
+
+Since these two systems share the same IP they will be merged into a single asset by default.
+
+### Default merge
+
+Asset | dns | ip | mac | nt_host
+----- | --- | -- | --- | -------
+host1<br>host2<br>host1.local<br>10.0.34.9<br>77:61:f5:cb:33:a7<br>a5:e7:5c:39:77:d1 | host1.local<br>host2.local | 10.0.34.9 | 77:61:f5:cb:33:a7<br>a5:e7:5c:39:77:d1 | host1<br>host2
+
+### Expected behavior
+
+<small>_see next section to accomplish this expected behavior_<small>
+
+Asset | dns | ip | mac | nt_host
+----- | --- | -- | --- | -------
+host1<br>host1.local<br>10.0.34.9<br>77:61:f5:cb:33:a7 | host1.local | 10.0.34.9 | 77:61:f5:cb:33:a7 | host1
+host2<br>host2.local<br>10.0.34.9<br>a5:e7:5c:39:77:d1 | host2.local | 10.0.34.9 | a5:e7:5c:39:77:d1 | host2
+
+## Solutions
+
+### Disable Asset Merging
+
+If Crowdstrike is your **_only_** data source for assets, you can disable asset merge in the global settings.
+
+!!! warn "This is not recommended if you have more than one asset list configured (see next section)"
 
 1. In Enterprise Security navigate to Configure > Data Enrichment > Asset and Identity Management > Global Settings.
 1. Toggle off "Assets" under `Enable Merge for Assets or Identities`.
+
+Changes should reflect the next time the Asset database builds (usually 5-10 minutes).
+
+<small>\*_For more information, see [Splunk Docs](https://docs.splunk.com/Documentation/ES/latest/Admin/Merge){ target="blank" }._</small>
+
+### Update Asset Key Fields
+
+If you have more than one asset list configured you can look at disabling the common key field to prevent the default merging behavior.
+
+!!! tip "In most cases, the IP field will be field that needs to disabled as the key field."
+
+1. (In Enterprise Security) Navigate to Configure > Data Enrichment > Asset and Identity Management.
+1. Select the "Asset Fields" Tab.
+1. Select the `ip` field (or the field you want to disable) and "uncheck" it from being a Key.
+
+<figure markdown>
+![Disable Asset Key](/assets/asset-key-field.png)
+<figcaption>Disable Asset Key by unchecking "Key"</figcaption>
+</figure>
+
+Changes should reflect the next time the Asset database builds (usually 5-10 minutes).