Security

Using Enterprise Security Identity Lookup Fields In SPL Query

cbschreiber
Explorer

I have a really simple query that I'd like to join with Enterprise Security's Identity inputlookup and grab a field from there. 

Here is the simple SPL:

index=pan sourcetype="pan:system" log_subtype=globalprotect description IN ("GlobalProtect gateway client configuration generated*")
| table _time user

Trying to use a join to grab the data:

index=pan sourcetype="pan:system" log_subtype=globalprotect description IN ("GlobalProtect gateway client configuration generated*")
| join type=left overwrite=true user
[ |inputlookup my_identity_lookup | search identity=user | fields priority ]
| table _time user priority

 

But the priority field returns blank. Would appreciate any help fixing this! 

Thanks in advance!

Labels (1)
0 Karma

scelikok
SplunkTrust
SplunkTrust

You must use fieldname after AS. Your base search Please try below;

| lookup my_identity_lookup identity AS user OUTPUT priority

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

cbschreiber
Explorer

 

Understood. When I try that it throws the error:

Streamed search execute failed because: Error in 'lookup' command: Could not construct lookup 'my_identity_lookup, identity, AS, user, OUTPUT, priority'. See search.log for more details..

SPL is 

index=pan sourcetype="pan:system" log_subtype=globalprotect description IN ("GlobalProtect gateway client configuration generated*")
| lookup my_identity_lookup identity AS user OUTPUT priority
| table _time user priority

 

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @cbschreiber,

You can use lookup command without join and subsearch;

index=pan sourcetype="pan:system" log_subtype=globalprotect description IN ("GlobalProtect gateway client configuration generated*")
| lookup my_identity_lookup identity AS user OUTPUT priority 
| table _time user priority

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

cbschreiber
Explorer
Hi Scelikok, 
 
Thank you for the response. Not sure what I might be doing wrong here… but when I try this, it throws an error:
 
Streamed search execute failed because: Error in 'lookup' command: Could not construct lookup ‘my_identity_lookup, identity, AS, user, OUTPUT, priority'. See search.log for more details..
 
 
I tied this, which produces results
 
| inputlookup my_identity_lookup | where identity=“xxx.yyy"
 
Then tried this, which does NOT produce results
 
| lookup my_identity_lookup identity AS “xxx.yyy" OUTPUT priority
 
Thoughts on what I'm doing wrong here?
0 Karma

bowesmana
SplunkTrust
SplunkTrust

you are joining on 'user' but you don't return user in the subsearch, only priority. Change to 

| fields user priority
0 Karma

cbschreiber
Explorer

Hi Bowesmana, 

I tried this but it did not help. Thank you for chiming in. 

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...