All Apps and Add-ons

Linux Audtid: Generate posix_identities lookup wrong username

test_qweqwe
Builder

I had host1 and host2
host1 had username test1 and host2 have test2.
than i remove all data with host1 from my splunk

and all logs from host2 in field user having username test1
i reinstall Linux Auditd (with addons) recreated indexs and recollected logs and host2 still have in field user test1 instead test2

script Generate posix_identities lookup generated to me lookup learnt_posix_identities with username test1
but in all my logs and lookups i don't have username test1

have no idea hot to fix it.

Tags (1)
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!