Solved: My Named Searches are being Audited, can I put a t...

mcm10285 · ‎07-24-2014

Our named searches are being audited. Named searches are those that have a specific User name in the actual search syntax. Those are audited and I would like to find a way to attach a ticket number to the search so a named search would be labeled by a ticket number.

Is there a way to do this on an inline search?

gkanapathy · ‎07-24-2014

My only suggestion would be for you to stick an extraneous eval command in the middle of the search, e.g., from:

sourcetype=mysourcetype userid=xyz | stats count by source_ip

to

sourcetype=mysourcetype userid=xyz | eval ticket_number="ABC1234567" | stats count by source_ip

View solution in original post

gkanapathy · ‎07-24-2014

My only suggestion would be for you to stick an extraneous eval command in the middle of the search, e.g., from:

sourcetype=mysourcetype userid=xyz | stats count by source_ip

to

sourcetype=mysourcetype userid=xyz | eval ticket_number="ABC1234567" | stats count by source_ip

mcm10285 · ‎07-24-2014

That's it! So simple! Thank you!

My Named Searches are being Audited, can I put a title on my search?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!