Splunk® Enterprise Security

Administer Splunk Enterprise Security

Download manual as PDF

Download topic as PDF

Define identity formats in Splunk Enterprise Security

Define the identity formats that identify users in your environment on the Identity Lookup Configuration page. Changes made on the Identity Lookup Configuration page modify the identityLookup.conf file.

Prerequisite

Collect and extract asset and identity data in Splunk Enterprise Security

Steps

  1. From the Splunk ES menu bar, select Configure > Data Enrichment > Identity Lookup Configuration.
  2. (Optional) Deselect the check box for Email if email addresses do not identify users in your environment.
  3. (Optional) Deselect the check box for Email short if the username of an email address does not identify users in your environment.
  4. (Optional) Select the check box for Convention if you want to define custom conventions to use to identify users.
    1. Click Add a new convention to add a custom convention.
    2. You can identify users by the first few letters of their first name and the first few letters of their last name, based on the columns in the Identities Table. Use the convention of identity_first(n)middle(n)last(n) where identity, first, and last are any columns from the Identities Table, and where n is a number starting with 0. For example:
      • "Jane Marie Johnson" using the convention first(3)last(3) is janjoh
      • "John Michael Smith" using the convention first(1)middle(1).last() is jm.smith
      • "John Doe" using the convention ADMIN_first(1)last() is ADMIN_jdoe
      • Multiple matches are resolved automatically by taking the first match in the table or manually by specifying identity values.
  5. (Optional) Select the check box for Case Sensitive to require case sensitive identity matching. Case sensitive identity matching produces fewer matches.
  6. Click Save.

Next step

Format the asset or identity list as a lookup in Splunk Enterprise Security

PREVIOUS
Collect and extract asset and identity data in Splunk Enterprise Security
  NEXT
Format an asset or identity list as a lookup in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters