Define identity formats in Splunk Enterprise Security
Define the identity formats that identify users in your environment on the Identity Lookup Configuration page. Changes made on the Identity Lookup Configuration page modify the identityLookup.conf
file.
Prerequisite
Collect and extract asset and identity data in Splunk Enterprise Security
Steps
- From the Splunk ES menu bar, select Configure > Data Enrichment > Identity Lookup Configuration.
- (Optional) Deselect the check box for Email if email addresses do not identify users in your environment.
- (Optional) Deselect the check box for Email short if the username of an email address does not identify users in your environment.
- (Optional) Select the check box for Convention if you want to define custom conventions to use to identify users.
- Click Add a new convention to add a custom convention.
- You can identify users by the first few letters of their first name and the first few letters of their last name, based on the columns in the Identities Table. Use the convention of
identity_first(n)middle(n)last(n)
where identity, first, and last are any columns from the Identities Table, and where n is a number starting with 0. For example:- "Jane Marie Johnson" using the convention
first(3)last(3)
is janjoh - "John Michael Smith" using the convention
first(1)middle(1).last()
is jm.smith - "John Doe" using the convention
ADMIN_first(1)last()
is ADMIN_jdoe - Multiple matches are resolved automatically by taking the first match in the table or manually by specifying identity values.
- "Jane Marie Johnson" using the convention
- (Optional) Select the check box for Case Sensitive to require case sensitive identity matching. Case sensitive identity matching produces fewer matches.
- Click Save.
Next step
Format the asset or identity list as a lookup in Splunk Enterprise Security
Collect and extract asset and identity data in Splunk Enterprise Security | Format an asset or identity list as a lookup in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1
Feedback submitted, thanks!