Security

Using Enterprise Security Identity Lookup Fields In SPL Query

cbschreiber
Explorer

I have a really simple query that I'd like to join with Enterprise Security's Identity inputlookup and grab a field from there. 

Here is the simple SPL:

index=pan sourcetype="pan:system" log_subtype=globalprotect description IN ("GlobalProtect gateway client configuration generated*")
| table _time user

Trying to use a join to grab the data:

index=pan sourcetype="pan:system" log_subtype=globalprotect description IN ("GlobalProtect gateway client configuration generated*")
| join type=left overwrite=true user
[ |inputlookup my_identity_lookup | search identity=user | fields priority ]
| table _time user priority

 

But the priority field returns blank. Would appreciate any help fixing this! 

Thanks in advance!

0 Karma

scelikok
SplunkTrust
SplunkTrust

You must use fieldname after AS. Your base search Please try below;

| lookup my_identity_lookup identity AS user OUTPUT priority

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

cbschreiber
Explorer

 

Understood. When I try that it throws the error:

Streamed search execute failed because: Error in 'lookup' command: Could not construct lookup 'my_identity_lookup, identity, AS, user, OUTPUT, priority'. See search.log for more details..

SPL is 

index=pan sourcetype="pan:system" log_subtype=globalprotect description IN ("GlobalProtect gateway client configuration generated*")
| lookup my_identity_lookup identity AS user OUTPUT priority
| table _time user priority

 

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @cbschreiber,

You can use lookup command without join and subsearch;

index=pan sourcetype="pan:system" log_subtype=globalprotect description IN ("GlobalProtect gateway client configuration generated*")
| lookup my_identity_lookup identity AS user OUTPUT priority 
| table _time user priority

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

cbschreiber
Explorer
Hi Scelikok, 
 
Thank you for the response. Not sure what I might be doing wrong here… but when I try this, it throws an error:
 
Streamed search execute failed because: Error in 'lookup' command: Could not construct lookup ‘my_identity_lookup, identity, AS, user, OUTPUT, priority'. See search.log for more details..
 
 
I tied this, which produces results
 
| inputlookup my_identity_lookup | where identity=“xxx.yyy"
 
Then tried this, which does NOT produce results
 
| lookup my_identity_lookup identity AS “xxx.yyy" OUTPUT priority
 
Thoughts on what I'm doing wrong here?
0 Karma

bowesmana
SplunkTrust
SplunkTrust

you are joining on 'user' but you don't return user in the subsearch, only priority. Change to 

| fields user priority
0 Karma

cbschreiber
Explorer

Hi Bowesmana, 

I tried this but it did not help. Thank you for chiming in. 

 

0 Karma
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...