topic Re: Adding Characters to the beginning of a field only when field starts with "\" in Splunk Search

Adding Characters to the beginning of a field only when field starts with "\"

ajdyer2000 — Tue, 14 Feb 2017 21:44:14 GMT

I have a search that returns a field called "Administrators"

Administrators

\DomainAdmins
\Backup Group
\Eventlog Administrators
user1
user2

for every entry that has a \ at the beginning I would like to put the word "Domain"

Domain\DomainAdmins
Domain\Backup Group
Domain\Eventlog Administrators
user1
user2

nickhills — Tue, 14 Feb 2017 22:02:07 GMT

This should work for you:

*|eval administrators=if(match(administrators, "^\\\.+"), "Domain".administrators, administrators)|table administrators

DalJeanis — Tue, 14 Feb 2017 22:07:52 GMT

Probably want to put a carat ^ at the start of that, so it only matches at the beginning of the string.

"Match" returns true if the REGEX can find a match against any substring of SUBJECT.

ajdyer2000 — Tue, 14 Feb 2017 22:08:59 GMT

I get no results found with that

nickhills — Tue, 14 Feb 2017 22:09:50 GMT

good point. edited.

nickhills — Tue, 14 Feb 2017 22:13:04 GMT

whats your starting search?

ajdyer2000 — Wed, 15 Feb 2017 19:16:50 GMT

Hi what would the new search look like?

nickhills — Wed, 15 Feb 2017 19:22:03 GMT

can you provide the search you are using now?

somesoni2 — Wed, 15 Feb 2017 19:22:38 GMT

In @nickhillscpl's answer, replace first * with whatever search you've right now. Just add that | eval administrator... to end of your search.