I have a really simple query that I'd like to join with Enterprise Security's Identity data.
In this case, simply grab the user from a Palo Alto system log, cross reference the user with ES Identity lookup and grab the priority field for that user. Simple right??
Here is the SPL I've tried:
index=pan sourcetype="pan:system" log_subtype=globalprotect description IN ("GlobalProtect gateway client configuration generated*")
| join type=left user
[ |inputlookup es_identity_lookup | search identity=user | fields priority ]
| table _time user priority
But nothing populates the priority field. Also tried:
index=pan sourcetype="pan:system" log_subtype=globalprotect description IN ("GlobalProtect gateway client configuration generated*")
| lookup es_identity_lookup identity AS user OUTPUT priority
| table _time user priority
But this doesn't even run. Throws an error.
Any help here would be most appreciated! Thanks in advance.