Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why are categories not merging within Identity Investigator?

stefan1988
Path Finder
‎08-09-2016 12:31 AM

Hello,

I'm having two identity lookups with two different categories. One lookup with the category 'gds_account' and the other lookup with the category 'ad_account'.

I would expect that the identity will receive category 'gds_account, ad_account', but I'm only seeing one category within the Identity Investigator, is that right?

Thanks and regards,
Stefan

0 Karma
Reply

ekost
Splunk Employee
Splunk Employee
‎10-05-2016 10:47 AM

Reviewing the documentation on Identity lookup fields, the category field accepts pipe-delimited entries. That does not imply that you can spread a collection of categories across multiple lookups, but rather that all category data must be populated in the identity lookup. The category field accepts pipe-delimited entries in the case that there are multiple categories for a given identity.

Notably, you can leverage a search-driven lookup to collect data and create a merged category list for inclusion into the identity lookup. It's also good practice to try building a search-driven lookup, as many processes in ES leverage them.

Note that the 'owner' field for the assets lookup is listed as a string, and not a delimited field. Therefore I would not expect to get more than one value.

If you're keen to see the values from another lookup associated with an event, give the field in that lookup a unique name and check that the field appears in the events when you drilldown. Example: category_gs, or category_ad. Always check that the lookup is working properly before beginning more complex operations.

0 Karma
Reply

stefan1988
Path Finder
‎09-21-2016 02:24 AM

The same applies for the owner field. If you have two lookups from two different data sources and both are giving an owner value It looks like ES is not presenting this multivalue in the asset/identity Investigator. Has anyone been able to solve this?

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...