Splunk Enterprise Security

Why are identities not merging after I created a new identity list in Splunk App for Enterprise Security?

OL
Communicator

Hello,

I have created a new identity list in Splunk ES following the documentation, but the new identities doesn't show in Identity Center.

I have checked that the new lookup is working ("| inputlookup new_ident_lookup" gives me the list) and that it is picked up by identity_manager.py script (can see in the logs that it has found the table file). However, no merge and identities_expanded.csv remains the same (without my new list).

Any idea on how to debug this?

Regards,
Olivier

1 Solution

esix_splunk
Splunk Employee
Splunk Employee

Do the headers and fields match the existing ES based fields? Your lookup table needs to have the same fields for them to be expanded properly.

View solution in original post

esix_splunk
Splunk Employee
Splunk Employee

Do the headers and fields match the existing ES based fields? Your lookup table needs to have the same fields for them to be expanded properly.

OL
Communicator

Hello thank you for answer. Actually the header was fine but the data had an extra comma. Shame that the logs doesn't say anything about this. Thank you for helping.

Regards,
Olivier