Splunk Enterprise Security

Why are identities not merging after I created a new identity list in Splunk App for Enterprise Security?

OL
Communicator

Hello,

I have created a new identity list in Splunk ES following the documentation, but the new identities doesn't show in Identity Center.

I have checked that the new lookup is working ("| inputlookup new_ident_lookup" gives me the list) and that it is picked up by identity_manager.py script (can see in the logs that it has found the table file). However, no merge and identities_expanded.csv remains the same (without my new list).

Any idea on how to debug this?

Regards,
Olivier

1 Solution

esix_splunk
Splunk Employee
Splunk Employee

Do the headers and fields match the existing ES based fields? Your lookup table needs to have the same fields for them to be expanded properly.

View solution in original post

esix_splunk
Splunk Employee
Splunk Employee

Do the headers and fields match the existing ES based fields? Your lookup table needs to have the same fields for them to be expanded properly.

OL
Communicator

Hello thank you for answer. Actually the header was fine but the data had an extra comma. Shame that the logs doesn't say anything about this. Thank you for helping.

Regards,
Olivier

Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...