Hello
Within Enterprise Security I have this as the beginning part of my correlation search:
| from inputlookup:access_tracker
I can't seem to find where the contents of this lookup table is. I've gone into SETTINGS < Lookups < and gone through the "lookup table files" and "Automatic Lookups" but could not find anything for access_tracker.
Ideas?
General_Talos,
Thank you but I'm not looking to add a new lookup file. I am wanting to find out more details on my existing lookup file.
Sceikok this would be a static file that was uploaded? I'm questioning the value of data I see in a field but was wondering if any of that could be dynamically generated by splunk.
Access Tracker is part of "Asset and identity" module for Splunk ES app
to access "inputlookup:access_tracker" you 1st need to add asset data/lookup by using
- From the Splunk menu bar, select Settings > Lookups > Lookup table files.
- Click New.
- Select a Destination App of SA-IdentityManagement.
- Select the lookup file to upload.
- Type the Destination filename that the lookup table file should have on the search head. The name should include the filename extension.
- For example, network_assets_from_CMDB.csv
- Click Save to save the lookup table file and return to the list of lookup table files.
Reference : https://docs.splunk.com/Documentation/ES/6.4.0/Admin/Configurenewassetoridentitylist
For more details on "Asset and Identity" Module follow
https://docs.splunk.com/Documentation/ES/6.4.0/Admin/Addassetandidentitydata
Hi @iherb_0718,
It should be in SA-AccessProtection app Lookup Definitions;
https://splunk_host:8000/en-US/manager/SA-AccessProtection/data/transforms/lookups?ns=SA-AccessProtection&pwnr=-&search=access_tracker
If this reply helps you an upvote is appreciated.