Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are categories not merging within Identity Investigator?

stefan1988
Path Finder
‎08-09-2016 12:31 AM

Hello,

I'm having two identity lookups with two different categories. One lookup with the category 'gds_account' and the other lookup with the category 'ad_account'.

I would expect that the identity will receive category 'gds_account, ad_account', but I'm only seeing one category within the Identity Investigator, is that right?

Thanks and regards,
Stefan

0 Karma
Reply

ekost
Splunk Employee
Splunk Employee
‎10-05-2016 10:47 AM

Reviewing the documentation on Identity lookup fields, the category field accepts pipe-delimited entries. That does not imply that you can spread a collection of categories across multiple lookups, but rather that all category data must be populated in the identity lookup. The category field accepts pipe-delimited entries in the case that there are multiple categories for a given identity.

Notably, you can leverage a search-driven lookup to collect data and create a merged category list for inclusion into the identity lookup. It's also good practice to try building a search-driven lookup, as many processes in ES leverage them.

Note that the 'owner' field for the assets lookup is listed as a string, and not a delimited field. Therefore I would not expect to get more than one value.

If you're keen to see the values from another lookup associated with an event, give the field in that lookup a unique name and check that the field appears in the events when you drilldown. Example: category_gs, or category_ad. Always check that the lookup is working properly before beginning more complex operations.

0 Karma
Reply

stefan1988
Path Finder
‎09-21-2016 02:24 AM

The same applies for the owner field. If you have two lookups from two different data sources and both are giving an owner value It looks like ES is not presenting this multivalue in the asset/identity Investigator. Has anyone been able to solve this?

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...