Adding Enterprise Security Identity data to a Splu...

Security

I have a really simple query that I'd like to join with Enterprise Security's Identity data.

In this case, simply grab the user from a Palo Alto system log, cross reference the user with ES Identity lookup and grab the priority field for that user. Simple right??

Here is the SPL I've tried:

But nothing populates the priority field. Also tried:

index=pan sourcetype="pan:system" log_subtype=globalprotect description IN ("GlobalProtect gateway client configuration generated*")
| lookup es_identity_lookup identity AS user OUTPUT priority
| table _time user priority

But this doesn't even run. Throws an error.

Any help here would be most appreciated! Thanks in advance.

Get Updates on the Splunk Community!

Adding Enterprise Security Identity data to a Splunk result set

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation