Identity Merging

Identities from the selected identity lookups can be merged into the primary identity collection in two ways. First, and easiest, is to navigate to the Identity Management dashboard and click the Execute Merge Search button. The merge will immediately be executed, and a notification will appear once completed. The second way to merge identities is with the custom search command provided in the app. To execute the merge using the custom command, run the following command in a Splunk search window:

| asceraidentitymerge

When the command is completed, an event will be shown with the status of the merge. The custom command is useful for merging via ad-hoc searches or saved searches.

The Assets & Identities app includes the ASCERA Merge – Identities saved search and is enabled by default. It runs every 12 hours. The saved search simply executes the custom search command discussed previously, | asceraidentitymerge. To modify the saved search, its schedule, or any other parameter, navigate to Searches, Reports, and Alerts within Splunk. Set the filters to Type: All, App: ASCERA A&I, and Owner: All. Once the saved search is visible, click the Edit dropdown and select the desired category. Then, make any necessary changes and save it.