We have configured a lookup table under 'ESS Identity management' to maintain the list of users. The user list is updated daily using a scheduled search. And the 'priority' of the user is calculated either as 'high' or 'medium' based on certain factors.
But, the priority of a few users is modified as 'critical'. I am trying to understand feature/search which modifies the priority value.
Any help is a welcome one. Thanks.
I don't think the users priority in the identity tables gets changed by any other process. Can you pls double check if your scheduled search is updating it? (perhaps)
I assume you are not talking about -https://docs.splunk.com/Documentation/ES/5.2.2/User/Howurgencyisassigned
You are right. I have overlooked the scheduled search that updates the identity lookup table. My bad.
The priority indeed calculated and updated by the scheduled search. Thanks.
If you are happy with the answer, pls accept the same to close the thread.