Security

Using Enterprise Security Identity Lookup Fields In SPL Query

cbschreiber
Explorer

I have a really simple query that I'd like to join with Enterprise Security's Identity inputlookup and grab a field from there. 

Here is the simple SPL:

index=pan sourcetype="pan:system" log_subtype=globalprotect description IN ("GlobalProtect gateway client configuration generated*")
| table _time user

Trying to use a join to grab the data:

index=pan sourcetype="pan:system" log_subtype=globalprotect description IN ("GlobalProtect gateway client configuration generated*")
| join type=left overwrite=true user
[ |inputlookup my_identity_lookup | search identity=user | fields priority ]
| table _time user priority

 

But the priority field returns blank. Would appreciate any help fixing this! 

Thanks in advance!

Labels (1)
0 Karma

scelikok
SplunkTrust
SplunkTrust

You must use fieldname after AS. Your base search Please try below;

| lookup my_identity_lookup identity AS user OUTPUT priority

 

If this reply helps you an upvote is appreciated.
0 Karma

cbschreiber
Explorer

 

Understood. When I try that it throws the error:

Streamed search execute failed because: Error in 'lookup' command: Could not construct lookup 'my_identity_lookup, identity, AS, user, OUTPUT, priority'. See search.log for more details..

SPL is 

index=pan sourcetype="pan:system" log_subtype=globalprotect description IN ("GlobalProtect gateway client configuration generated*")
| lookup my_identity_lookup identity AS user OUTPUT priority
| table _time user priority

 

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @cbschreiber,

You can use lookup command without join and subsearch;

index=pan sourcetype="pan:system" log_subtype=globalprotect description IN ("GlobalProtect gateway client configuration generated*")
| lookup my_identity_lookup identity AS user OUTPUT priority 
| table _time user priority

 

If this reply helps you an upvote is appreciated.
0 Karma

cbschreiber
Explorer
Hi Scelikok, 
 
Thank you for the response. Not sure what I might be doing wrong here… but when I try this, it throws an error:
 
Streamed search execute failed because: Error in 'lookup' command: Could not construct lookup ‘my_identity_lookup, identity, AS, user, OUTPUT, priority'. See search.log for more details..
 
 
I tied this, which produces results
 
| inputlookup my_identity_lookup | where identity=“xxx.yyy"
 
Then tried this, which does NOT produce results
 
| lookup my_identity_lookup identity AS “xxx.yyy" OUTPUT priority
 
Thoughts on what I'm doing wrong here?
0 Karma

bowesmana
SplunkTrust
SplunkTrust

you are joining on 'user' but you don't return user in the subsearch, only priority. Change to 

| fields user priority
0 Karma

cbschreiber
Explorer

Hi Bowesmana, 

I tried this but it did not help. Thank you for chiming in. 

 

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...