https://community.splunk.com/t5/Getting-Data-In/Split-event-before-apply-profiling/m-p/476067#M81694 <P>Hi Giuseppe,</P> <P>Thank you for your response. That's not what I'm asking. Due to the profiling, events which contain tag1 and tag2 at the same time, are already filtered and doesn't appear. What I need is to show events with tagged with (tag2) and (tag1tag2) at the same time. </P> <P>Thanks.</P> Fri, 13 Sep 2019 06:10:49 GMT pbalbasm 2019-09-13T06:10:49Z https://community.splunk.com/t5/Getting-Data-In/Split-event-before-apply-profiling/m-p/476065#M81692 <P>Hi all,</P> <P>I have events tagged with <EM>tag1</EM> and others with <EM>tag2</EM>. In the <EM>restricted search terms of the search</EM> in roles, I have <CODE>NOT tag=tag1</CODE> so users can't see <EM>tag1</EM> events. The problem is when an event contains both tags, so users cannot see the events and they should. </P> <P>Is there any way to split that events by tag in order that users are able to see those which contains <EM>tag2</EM>?</P> <P>Thanks in advance.</P> Thu, 12 Sep 2019 12:31:05 GMT https://community.splunk.com/t5/Getting-Data-In/Split-event-before-apply-profiling/m-p/476065#M81692 pbalbasm 2019-09-12T12:31:05Z https://community.splunk.com/t5/Getting-Data-In/Split-event-before-apply-profiling/m-p/476066#M81693 <P>Hi pbalbasm,<BR /> let me understand: do you want a search with the condition tag=tag2?<BR /> if yes, try something like this:</P> <PRE><CODE>index=my_index tag=tag2 </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Thu, 12 Sep 2019 18:17:07 GMT https://community.splunk.com/t5/Getting-Data-In/Split-event-before-apply-profiling/m-p/476066#M81693 gcusello 2019-09-12T18:17:07Z https://community.splunk.com/t5/Getting-Data-In/Split-event-before-apply-profiling/m-p/476067#M81694 <P>Hi Giuseppe,</P> <P>Thank you for your response. That's not what I'm asking. Due to the profiling, events which contain tag1 and tag2 at the same time, are already filtered and doesn't appear. What I need is to show events with tagged with (tag2) and (tag1tag2) at the same time. </P> <P>Thanks.</P> Fri, 13 Sep 2019 06:10:49 GMT https://community.splunk.com/t5/Getting-Data-In/Split-event-before-apply-profiling/m-p/476067#M81694 pbalbasm 2019-09-13T06:10:49Z https://community.splunk.com/t5/Getting-Data-In/Split-event-before-apply-profiling/m-p/476068#M81695 <P>ok, try this<BR /> index=my_index tag=tag2 OR (tag=tag1 tag=tag2)<BR /> Bye.<BR /> Giuseppe</P> Fri, 13 Sep 2019 06:56:35 GMT https://community.splunk.com/t5/Getting-Data-In/Split-event-before-apply-profiling/m-p/476068#M81695 gcusello 2019-09-13T06:56:35Z https://community.splunk.com/t5/Getting-Data-In/Split-event-before-apply-profiling/m-p/476069#M81696 <P>Hi, as I said that events doesn't appear, so it's not possible to manage in that way.</P> Fri, 13 Sep 2019 07:27:39 GMT https://community.splunk.com/t5/Getting-Data-In/Split-event-before-apply-profiling/m-p/476069#M81696 pbalbasm 2019-09-13T07:27:39Z https://community.splunk.com/t5/Getting-Data-In/Split-event-before-apply-profiling/m-p/476070#M81697 <P>Sorry!<BR /> but if you use <BR /> index=my_index (tag=tag1 OR tag=tag2)</P> <UL> <LI>events with only tag1 are seen by users enabled for tag1,</LI> <LI>events with only tag2 are seen by users enabled for tag2,</LI> <LI>events with tag1 and tag2 should be seen by users enabled for tag1 or tag2,</LI> </UL> <P>Bye.<BR /> Giuseppe</P> Fri, 13 Sep 2019 07:46:36 GMT https://community.splunk.com/t5/Getting-Data-In/Split-event-before-apply-profiling/m-p/476070#M81697 gcusello 2019-09-13T07:46:36Z