Solved: Re: When bringing in assets and identities to Splu...

lmmills · ‎05-08-2023

When bringing in assets and identities to Splunk ES via an input is there any value in separating the lookups by domain? When I bring in the identities from multiple sources the events are multivalue so one event may contain 5 usernames and 5 different domains.

meetmshah · ‎07-04-2023

Hello @lmmills, It is suggested using multiple lookups for different domains / sources etc. as -

There won't be single point of failure - meaning if one lookup file is accidentally deleted, we have other files available
Individual lookups can be updated through individual saved searches without touching other lookups

If you have multiple domains and which can contain multiple usernames, you can add additional custom field and make it "key" field. So that merging will be in place based on that additional field.

Feel free to accept the answer if that helps!

View solution in original post

meetmshah · ‎07-04-2023

Hello @lmmills, It is suggested using multiple lookups for different domains / sources etc. as -

There won't be single point of failure - meaning if one lookup file is accidentally deleted, we have other files available
Individual lookups can be updated through individual saved searches without touching other lookups

If you have multiple domains and which can contain multiple usernames, you can add additional custom field and make it "key" field. So that merging will be in place based on that additional field.

Feel free to accept the answer if that helps!

When bringing in assets and identities to Splunk ES via an input is there any value in separating the lookups by domain?

configuration

other

using Enterprise Security

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?