Splunk Enterprise Security

Merging identity lookups fails


Hi Splunkers,

I have an issue merging two identity lookup files on ES. In particular, my first lookup file has rows like the below:


identity	priority	email
vagn		low	        vag@gmail.com


The second lookup file looks like the below:


identity	priority	email
vagn		critical	vag@gmail.com


I would expect that when I run the "| inputlookup append=T identity_lookup_expanded | entitymerge identity " command I would have a result like the below, yet this doesn't happen.


identity	priority	email
vagn		critical	vag@gmail.com


Any ideas? I have enabled the multivalue field for the "priority" field already so it can hold more than one value but didn't help.





Labels (2)
Tags (3)
0 Karma


The "priority" field, by default is defined as single value field. I'm not sure why you would want this to be multivalued -- ideally you should use stats and eval to make it into a single value field.

If you want to change this to multivalued: Configure -> Asset and Identity Management -> Identify Fields -> priority -> Multivalue (check and save).

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!


Or Learn More in Our Blog >>