Preformatting a constraint field in a swimlane

sheamus69 · ‎06-22-2017

Splunk ES: 6.5.2 Splunk 
Enterprise Security: 4.5.1

I am adding a new swimlane to the Identities Investigator and have hit a slight snag.

The new swimlane will be searching a data source where the username is in the following format: [domain][username]

While the name added to Identity Investigator will not generally recieve the domain, just the username.

My swimlane does work if I just use *[username] in Identity Investigator, to wildcard the user field, but this will then require the analyst to remember to wildcard the username, not to mention being inefficient.

Is there a way to preformat the constraint field from within the swimlane to add either the domain or a wildcard before the search begins?

EG

$constraint$ : user=myusername
Datasource user field : mydomain\myusername

So $constraint$ would need to*myusername

jakmiller · ‎02-17-2018

I was having this same issue with a swim lane for a host field. I was able to create a field alias that matched the default constraints field and now it works perfectly, not to mention that I now have a standard field name that I can do regular searches against now.
http://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Addaliasestofields

Preformatting a constraint field in a swimlane

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...