HI all,
in our identity feed there are some instances where different identities are registered with the same email address. ES by default merges using "key" fields and email. I want to disable this behaviour, but I cannot find how to do that. In the documentation it is written "The key field is identity and the default merge convention is email.". Anyone knows how can I change the default merge convention?
Thanks
Mario
Sounds like you could use entity zones:
https://docs.splunk.com/Documentation/ES/6.6.0/Admin/Entityzones
(the example is asset, but it's also for identity)
Or change the key to a different field:
https://docs.splunk.com/Documentation/ES/6.6.0/Admin/Identitysettings#Add_or_edit_an_identity_field
Let me know if that helps.