Solved: Splunk Enterprise Security: How to construct an in... - Splunk Community

Splunk Enterprise Security

I have a lookup with 461 usernames. I want to input the lookup to Splunk and display corresponding First and Last name from Splunk Enterprise Security Identities.

Any ideas how to construct that search?

|inputlookup users | `identities`

user
xxxx
yyyy
zzzz
...

1 Solution

Solution

Try this one.

|inputlookup users.csv|fields user|eval user=lower(user)|join type=left user [datamodel("Identity_Management", "All_Identities")| drop_dm_object_name("All_Identities")|mvexpand identity|rename identity as user|eval user=lower(user)]|table user first last

View solution in original post

Solution

Try this one.

|inputlookup users.csv|fields user|eval user=lower(user)|join type=left user [datamodel("Identity_Management", "All_Identities")| drop_dm_object_name("All_Identities")|mvexpand identity|rename identity as user|eval user=lower(user)]|table user first last

the search was missing `` around drop_dm_object_name("All_Identities")

Corrected and run it but it does not populate first and last name.

try updated one..

Kiran,

Apologies, I did not noticed the updated search.
It was great, producing expected results !

Thanks!

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...