Security

Adding Enterprise Security Identity data to a Splunk result set

cbschreiber
Loves-to-Learn

I have a really simple query that I'd like to join with Enterprise Security's Identity data.

In this case, simply grab the user from a Palo Alto system log, cross reference the user with ES Identity lookup and grab the priority field for that user.  Simple right??

Here is the SPL I've tried:

index=pan sourcetype="pan:system" log_subtype=globalprotect description IN ("GlobalProtect gateway client configuration generated*")
| join type=left user
[ |inputlookup es_identity_lookup | search identity=user | fields priority ]
| table _time user priority

 

But nothing populates the priority field.  Also tried: 

 

index=pan sourcetype="pan:system" log_subtype=globalprotect description IN ("GlobalProtect gateway client configuration generated*")
| lookup es_identity_lookup identity AS user OUTPUT priority
| table _time user priority

But this doesn't even run. Throws an error. 

 

Any help here would be most appreciated! Thanks in advance. 

 

 

 

Labels (1)
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.