Splunk ES: 6.5.2 Splunk
Enterprise Security: 4.5.1
I am adding a new swimlane to the Identities Investigator and have hit a slight snag.
The new swimlane will be searching a data source where the username is in the following format: [domain][username]
While the name added to Identity Investigator will not generally recieve the domain, just the username.
My swimlane does work if I just use *[username] in Identity Investigator, to wildcard the user field, but this will then require the analyst to remember to wildcard the username, not to mention being inefficient.
Is there a way to preformat the constraint field from within the swimlane to add either the domain or a wildcard before the search begins?
EG
$constraint$ : user=myusername
Datasource user field : mydomain\myusername
So $constraint$ would need to*myusername
I was having this same issue with a swim lane for a host field. I was able to create a field alias that matched the default constraints field and now it works perfectly, not to mention that I now have a standard field name that I can do regular searches against now.
http://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Addaliasestofields