Which columns in the Assets lookup are used to identify an asset in an event?

The columns in the Assets lookup that are used to identify an asset in an event are ip, mac, dns, and nt_host. These columns contain the network identifiers of the assets, such as IP address, MAC address, DNS name, and NetBIOS name. Splunk Enterprise Security uses these columns to match the asset fields with the event fields, such as src, dest, dvc, host, and hostname. When a match is found, Splunk Enterprise Security enriches the event with the asset information, such as category, priority, business unit, and location. This allows you to search and analyze events based on the asset attributes and context. References =

Asset Lookup CSV file

Asset and identity correlation

Asset & Identity for Splunk Enterprise Security - Part 1 ...