Splunk Enterprise Security

Why are identities not merging after I created a new identity list in Splunk App for Enterprise Security?

OL
Communicator

Hello,

I have created a new identity list in Splunk ES following the documentation, but the new identities doesn't show in Identity Center.

I have checked that the new lookup is working ("| inputlookup new_ident_lookup" gives me the list) and that it is picked up by identity_manager.py script (can see in the logs that it has found the table file). However, no merge and identities_expanded.csv remains the same (without my new list).

Any idea on how to debug this?

Regards,
Olivier

1 Solution

esix_splunk
Splunk Employee
Splunk Employee

Do the headers and fields match the existing ES based fields? Your lookup table needs to have the same fields for them to be expanded properly.

View solution in original post

esix_splunk
Splunk Employee
Splunk Employee

Do the headers and fields match the existing ES based fields? Your lookup table needs to have the same fields for them to be expanded properly.

OL
Communicator

Hello thank you for answer. Actually the header was fine but the data had an extra comma. Shame that the logs doesn't say anything about this. Thank you for helping.

Regards,
Olivier

Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...