Splunk Enterprise Security

Merging identity lookups fails

vagnet
Explorer

Hi Splunkers,

I have an issue merging two identity lookup files on ES. In particular, my first lookup file has rows like the below:

 

identity	priority	email
vagn		low	        vag@gmail.com

 

The second lookup file looks like the below:

 

identity	priority	email
vagn		critical	vag@gmail.com

 

I would expect that when I run the "| inputlookup append=T identity_lookup_expanded | entitymerge identity " command I would have a result like the below, yet this doesn't happen.

 

identity	priority	email
vagn		critical	vag@gmail.com
			low

 

Any ideas? I have enabled the multivalue field for the "priority" field already so it can hold more than one value but didn't help.

 

Regards,

Evang

 

Labels (2)
Tags (3)
0 Karma

johnhuang
Motivator

The "priority" field, by default is defined as single value field. I'm not sure why you would want this to be multivalued -- ideally you should use stats and eval to make it into a single value field.

If you want to change this to multivalued: Configure -> Asset and Identity Management -> Identify Fields -> priority -> Multivalue (check and save).

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...