Solved: When bringing in assets and identities to Splunk E...

lmmills · ‎05-08-2023

When bringing in assets and identities to Splunk ES via an input is there any value in separating the lookups by domain? When I bring in the identities from multiple sources the events are multivalue so one event may contain 5 usernames and 5 different domains.

meetmshah · ‎07-04-2023

Hello @lmmills, It is suggested using multiple lookups for different domains / sources etc. as -

There won't be single point of failure - meaning if one lookup file is accidentally deleted, we have other files available
Individual lookups can be updated through individual saved searches without touching other lookups

If you have multiple domains and which can contain multiple usernames, you can add additional custom field and make it "key" field. So that merging will be in place based on that additional field.

Feel free to accept the answer if that helps!

View solution in original post

meetmshah · ‎07-04-2023

Hello @lmmills, It is suggested using multiple lookups for different domains / sources etc. as -

There won't be single point of failure - meaning if one lookup file is accidentally deleted, we have other files available
Individual lookups can be updated through individual saved searches without touching other lookups

If you have multiple domains and which can contain multiple usernames, you can add additional custom field and make it "key" field. So that merging will be in place based on that additional field.

Feel free to accept the answer if that helps!

When bringing in assets and identities to Splunk ES via an input is there any value in separating the lookups by domain?

configuration

other

using Enterprise Security

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!