Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Identies question

Niro
Explorer
‎11-06-2023 09:33 PM

Hello,

I've set up an identity lookup using ldapsearch - it creates an identity of "username" that contains various details about the user, including the email address. It works well in identifying the user as `username` and `useremail@domain'.

However I'd like to also have it identify users based on `domain\username` and `username@domain' (which is actually different than `useremail` in our case) since a lot of our logs contain the user field in those formats. What's the best way to do that? 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-07-2023 12:32 AM

Hi

There is two options to get those into your lookup.

  1. Get those from you ldap query. This is obviously the best option as then those are absolutely correct. Unfortunately I haven't any suitable AD to look what fields those are and how you could get those. I'm quite trustful that those are there. Just ask from your AD admins and they probably help you.
  2. If you have standard how those are created based on other attributes then just regenerate those before you add entry to lookup.

r. Ismo

0 Karma
Reply

Niro
Explorer
‎11-07-2023 05:06 AM

Thanks for your reply!

I guess I should clarify my question though - I can figure out how to generate them, the question is where do I put them? Do I create additional fields in the lookup for the user and somehow splunk will use that field? Make the identify field a multivalue field?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-07-2023 12:49 PM

Probably the easiest way is just add a new fields into the end of your lookup file lines. That way it's easier to use those than use e.g. mvfields.

0 Karma
Reply

Niro
Explorer
‎11-07-2023 01:40 PM

Thanks!

I did that, but how do I make it use the new field as an identity? IE right now I have the "identity" field which is the samaccountname, and I also see it merged the email address into it when looking at the identity center. However if I add another field (ie domain_identity) it won't use it for identity lookups as far as I can tell. What I did for now (which might be completely the wrong way to do it) is create another identity lookup with the exact same query as the first one (which gets all fields from active directory) but for "identity" I'm adding `domain\username`. That seems to do the trick since it merges identities based on email address (which matches). 

 

I'm sure I'm missing something very basic here though.

Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-07-2023 01:59 PM

Have you try to use index_field_list on transforms.conf for CSV based lookup and/or accelerated_fields on collections.conf for kvstore based lookup?

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...