Solved: Re: How do you tag a field based on a condition?

mpasha · ‎02-01-2019

Good day everyone,

I was wondering if there is a way to tag certain fields based on the value of that specific field.

As an example, we have field "UserID", which includes all users (including admins). However, I want to tag the UserID field as admin if the user is an administrator.

is this possible?

woodcock · ‎02-01-2019

Create a lookup file with all of the administrators IDs in it and a second field called usertype with every row having a value of admin. Then create an automatic lookup that will create a field called usertype with a value of admin for any user who is an admin. Then create a tag for usertype=admin and give it the value of admin.

View solution in original post

woodcock · ‎02-01-2019

Create a lookup file with all of the administrators IDs in it and a second field called usertype with every row having a value of admin. Then create an automatic lookup that will create a field called usertype with a value of admin for any user who is an admin. Then create a tag for usertype=admin and give it the value of admin.

mpasha · ‎02-01-2019

Thanks for the answer Woodcock, One question though, if i create an automatic lookup then this tag will only work for one source type. am i wrong?
what will happen if i use a search like the following in the "field value pair" when creating an index

index=adsecurity AND UserID=* AND Display_Name="admin"|lookup test userid as userid output Display_Name as Display_Name

woodcock · ‎02-02-2019

There is a hack to apply an automatic lookup to use wildcards. See here:
https://answers.splunk.com/answers/8505/is-it-possible-to-use-wildcards-in-sourcetype-props-conf-sta...

How do you tag a field based on a condition?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...