Merging identity lookups fails

vagnet · ‎01-20-2022

Hi Splunkers,

I have an issue merging two identity lookup files on ES. In particular, my first lookup file has rows like the below:

identity	priority	email
vagn		low	        vag@gmail.com

The second lookup file looks like the below:

identity	priority	email
vagn		critical	vag@gmail.com

I would expect that when I run the "| inputlookup append=T identity_lookup_expanded | entitymerge identity " command I would have a result like the below, yet this doesn't happen.

identity	priority	email
vagn		critical	vag@gmail.com
			low

Any ideas? I have enabled the multivalue field for the "priority" field already so it can hold more than one value but didn't help.

Regards,

Evang

johnhuang · ‎01-26-2022

The "priority" field, by default is defined as single value field. I'm not sure why you would want this to be multivalued -- ideally you should use stats and eval to make it into a single value field.

If you want to change this to multivalued: Configure -> Asset and Identity Management -> Identify Fields -> priority -> Multivalue (check and save).

Merging identity lookups fails

administration

using Enterprise Security

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

Merging identity lookups fails

administration

using Enterprise Security

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability