Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

lookup table

iherb_0718
Path Finder
‎01-18-2021 07:59 AM

Hello

Within Enterprise Security I have this as the beginning part of my correlation search:

| from inputlookup:access_tracker

I can't seem to find where the contents of this lookup table is. I've gone into SETTINGS < Lookups < and gone through the "lookup table files" and "Automatic Lookups" but could not find anything for access_tracker.

Ideas?

 

Labels (1)
Labels
0 Karma
Reply

iherb_0718
Path Finder
‎01-18-2021 09:11 AM

General_Talos,

Thank you but I'm not looking to add a new lookup file. I am wanting to find out more details on my existing lookup file. 

0 Karma
Reply

iherb_0718
Path Finder
‎01-18-2021 09:07 AM

Sceikok this would be a static file that was uploaded?  I'm questioning the value of data I see in a field but was wondering if any of that could be dynamically generated by splunk.

 

0 Karma
Reply

General_Talos
Path Finder
‎01-18-2021 08:58 AM

Access Tracker is part of "Asset and identity" module for Splunk ES app

to access "inputlookup:access_tracker" you 1st need to add asset data/lookup by using

- From the Splunk menu bar, select Settings > Lookups > Lookup table files.
- Click New.
- Select a Destination App of SA-IdentityManagement.
- Select the lookup file to upload.
- Type the Destination filename that the lookup table file should have on the search head. The name should include the filename extension.
- For example, network_assets_from_CMDB.csv
- Click Save to save the lookup table file and return to the list of lookup table files.

Reference : https://docs.splunk.com/Documentation/ES/6.4.0/Admin/Configurenewassetoridentitylist

For more details on "Asset and Identity" Module follow

https://docs.splunk.com/Documentation/ES/6.4.0/Admin/Addassetandidentitydata

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-18-2021 08:58 AM

Hi @iherb_0718,

It should be in SA-AccessProtection app Lookup Definitions;

https://splunk_host:8000/en-US/manager/SA-AccessProtection/data/transforms/lookups?ns=SA-AccessProtection&pwnr=-&search=access_tracker

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...