Solved: Re: When bringing in assets and identities to Splu...

lmmills · ‎05-08-2023

When bringing in assets and identities to Splunk ES via an input is there any value in separating the lookups by domain? When I bring in the identities from multiple sources the events are multivalue so one event may contain 5 usernames and 5 different domains.

meetmshah · ‎07-04-2023

Hello @lmmills, It is suggested using multiple lookups for different domains / sources etc. as -

There won't be single point of failure - meaning if one lookup file is accidentally deleted, we have other files available
Individual lookups can be updated through individual saved searches without touching other lookups

If you have multiple domains and which can contain multiple usernames, you can add additional custom field and make it "key" field. So that merging will be in place based on that additional field.

Feel free to accept the answer if that helps!

View solution in original post

meetmshah · ‎07-04-2023

Hello @lmmills, It is suggested using multiple lookups for different domains / sources etc. as -

There won't be single point of failure - meaning if one lookup file is accidentally deleted, we have other files available
Individual lookups can be updated through individual saved searches without touching other lookups

If you have multiple domains and which can contain multiple usernames, you can add additional custom field and make it "key" field. So that merging will be in place based on that additional field.

Feel free to accept the answer if that helps!

When bringing in assets and identities to Splunk ES via an input is there any value in separating the lookups by domain?

configuration

other

using Enterprise Security

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...