Solved: When bringing in assets and identities to Splunk E...

lmmills · ‎05-08-2023

When bringing in assets and identities to Splunk ES via an input is there any value in separating the lookups by domain? When I bring in the identities from multiple sources the events are multivalue so one event may contain 5 usernames and 5 different domains.

meetmshah · ‎07-04-2023

Hello @lmmills, It is suggested using multiple lookups for different domains / sources etc. as -

There won't be single point of failure - meaning if one lookup file is accidentally deleted, we have other files available
Individual lookups can be updated through individual saved searches without touching other lookups

If you have multiple domains and which can contain multiple usernames, you can add additional custom field and make it "key" field. So that merging will be in place based on that additional field.

Feel free to accept the answer if that helps!

View solution in original post

meetmshah · ‎07-04-2023

Hello @lmmills, It is suggested using multiple lookups for different domains / sources etc. as -

There won't be single point of failure - meaning if one lookup file is accidentally deleted, we have other files available
Individual lookups can be updated through individual saved searches without touching other lookups

If you have multiple domains and which can contain multiple usernames, you can add additional custom field and make it "key" field. So that merging will be in place based on that additional field.

Feel free to accept the answer if that helps!

When bringing in assets and identities to Splunk ES via an input is there any value in separating the lookups by domain?

configuration

other

using Enterprise Security

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Splunk Observability Cloud | Enhancing Your Onboarding Experience with the ...