Splunk Enterprise Security

Splunk Enterprise Security: How to construct an inputlookup search that will display ES identity information from their usernames?

ttchorz
Path Finder

I have a lookup with 461 usernames. I want to input the lookup to Splunk and display corresponding First and Last name from Splunk Enterprise Security Identities.

Any ideas how to construct that search?

|inputlookup users | `identities`

user
xxxx
yyyy
zzzz
...
0 Karma
1 Solution

kiran331
Builder

Try this one.

|inputlookup users.csv|fields user|eval user=lower(user)|join type=left user [datamodel("Identity_Management", "All_Identities")| drop_dm_object_name("All_Identities")|mvexpand identity|rename identity as user|eval user=lower(user)]|table user first last

View solution in original post

kiran331
Builder

Try this one.

|inputlookup users.csv|fields user|eval user=lower(user)|join type=left user [datamodel("Identity_Management", "All_Identities")| drop_dm_object_name("All_Identities")|mvexpand identity|rename identity as user|eval user=lower(user)]|table user first last

ttchorz
Path Finder

the search was missing `` around drop_dm_object_name("All_Identities")

Corrected and run it but it does not populate first and last name.

0 Karma

kiran331
Builder

try updated one..

0 Karma

ttchorz
Path Finder

Kiran,

Apologies, I did not noticed the updated search.
It was great, producing expected results !

Thanks!

0 Karma
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...