I'm almost certian I used the wrong lingo but I'd like to essentially create a field based on search or regex, but I want my own predetermiend label to be the field value, not any of the contents of the raw log.
So, if I have a search like this:
index=myIndex sourcetype=mysourcetype "dude really did login"
I'd want all of thos results to be tagged with a field named "ServerEvent" and have the value be set to "LOGIN"
Alternativly I'd want a search like this:
index=myIndex sourcetype=mysourcetype "dude really did logout"
I'd want all of thos results to be tagged with a field named "ServerEvent" and have the value be set to "LOGOUT"
What is the most efficient way to do this in Splunk?
This post may help you with this:
http://answers.splunk.com/answers/9073/set-field-based-on-another-field
This post may help you with this:
http://answers.splunk.com/answers/9073/set-field-based-on-another-field