Splunk Enterprise Security

Preformatting a constraint field in a swimlane

sheamus69
Communicator
Splunk ES: 6.5.2 Splunk 
Enterprise Security: 4.5.1

I am adding a new swimlane to the Identities Investigator and have hit a slight snag.

The new swimlane will be searching a data source where the username is in the following format: [domain][username]

While the name added to Identity Investigator will not generally recieve the domain, just the username.

My swimlane does work if I just use *[username] in Identity Investigator, to wildcard the user field, but this will then require the analyst to remember to wildcard the username, not to mention being inefficient.

Is there a way to preformat the constraint field from within the swimlane to add either the domain or a wildcard before the search begins?

EG

$constraint$ : user=myusername
Datasource user field : mydomain\myusername

So $constraint$ would need to*myusername

jakmiller
Engager

I was having this same issue with a swim lane for a host field. I was able to create a field alias that matched the default constraints field and now it works perfectly, not to mention that I now have a standard field name that I can do regular searches against now.
http://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Addaliasestofields

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...