Knowledge Management

How do you tag a field based on a condition?

mpasha
Path Finder

Good day everyone,

I was wondering if there is a way to tag certain fields based on the value of that specific field.

As an example, we have field "UserID", which includes all users (including admins). However, I want to tag the UserID field as admin if the user is an administrator.

is this possible?

1 Solution

woodcock
Esteemed Legend

Create a lookup file with all of the administrators IDs in it and a second field called usertype with every row having a value of admin. Then create an automatic lookup that will create a field called usertype with a value of admin for any user who is an admin. Then create a tag for usertype=admin and give it the value of admin.

View solution in original post

woodcock
Esteemed Legend

Create a lookup file with all of the administrators IDs in it and a second field called usertype with every row having a value of admin. Then create an automatic lookup that will create a field called usertype with a value of admin for any user who is an admin. Then create a tag for usertype=admin and give it the value of admin.

mpasha
Path Finder

Thanks for the answer Woodcock, One question though, if i create an automatic lookup then this tag will only work for one source type. am i wrong?
what will happen if i use a search like the following in the "field value pair" when creating an index

index=adsecurity AND UserID=* AND Display_Name="admin"|lookup test userid as userid output Display_Name as Display_Name

0 Karma

woodcock
Esteemed Legend

There is a hack to apply an automatic lookup to use wildcards. See here:
https://answers.splunk.com/answers/8505/is-it-possible-to-use-wildcards-in-sourcetype-props-conf-sta...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...