Splunk Enterprise Security

Merging identity lookups fails

vagnet
Explorer

Hi Splunkers,

I have an issue merging two identity lookup files on ES. In particular, my first lookup file has rows like the below:

 

identity	priority	email
vagn		low	        vag@gmail.com

 

The second lookup file looks like the below:

 

identity	priority	email
vagn		critical	vag@gmail.com

 

I would expect that when I run the "| inputlookup append=T identity_lookup_expanded | entitymerge identity " command I would have a result like the below, yet this doesn't happen.

 

identity	priority	email
vagn		critical	vag@gmail.com
			low

 

Any ideas? I have enabled the multivalue field for the "priority" field already so it can hold more than one value but didn't help.

 

Regards,

Evang

 

Labels (2)
Tags (3)
0 Karma

johnhua
Builder

The "priority" field, by default is defined as single value field. I'm not sure why you would want this to be multivalued -- ideally you should use stats and eval to make it into a single value field.

If you want to change this to multivalued: Configure -> Asset and Identity Management -> Identify Fields -> priority -> Multivalue (check and save).

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>