topic Re: search query not filtered by tag command in Splunk Search

search query not filtered by tag command

Splunkster45 — Mon, 28 Sep 2020 17:38:13 GMT

I have created a field using the rex command. I have partioned the field into two parts: admin and spss_user. However when I try to search for non admins (tag!=admin), I still get both admin and non_admins.

index=spss earliest=-48h@h tag!=admin "Login succeeded for user" | rex field=_raw ".*Login succeeded for user: (?<user>.*)"

When I replace tag!=admin with tag=admin, I get back no results. I was attempting to follow this video: http://www.splunk.com/view/SP-CAAAGYJ, but I am not having any success.

Thoughts?

Re: search query not filtered by tag command

Splunkster45 — Fri, 19 Sep 2014 15:42:39 GMT

When alt clicking on the tag spss_user I get the following code

index=spss earliest=-48h@h "Login succeeded for user" NOT tag::user="spss_user" | rex field=_raw ".*Login succeeded for user: (?<user>.*)"

However, when I search by this, I get back both the admin and spss_user tags

Re: search query not filtered by tag command

sowings — Fri, 19 Sep 2014 16:55:39 GMT

Please post the definition of your tag. The tagging would occur behind the scenes before the rex command, so if it is depending upon the value of the rex fields (user), then you'll have to go through some other contortions to get it to work.

Re: search query not filtered by tag command

Splunkster45 — Fri, 19 Sep 2014 19:27:48 GMT

I think you may have something there. Could it be that the tags are being called before the field user is created?

I tried the below command, but it did not work, everything was returned.

index=spss earliest=-48h@h "Login succeeded for user"  | rex field=_raw ".*Login succeeded for user: (?<user>.*)" | search NOT tag::user="spss_user"

Thoughts?

Re: search query not filtered by tag command

sowings — Fri, 19 Sep 2014 19:38:01 GMT

Yes, tags happen before your rex command is run. If you can't add this to the props for the sourcetype, add | typer after your rex, but before your search. This command evaluates eventtypes (upon which tags are based), manually, and would then act on any new fields that were made available by search commands earlier in the pipeline.

Re: search query not filtered by tag command

Splunkster45 — Fri, 19 Sep 2014 20:13:54 GMT

Hmmm... maybe I'm not following you as closely as I thought. I tried the following command

    index=spss earliest=-48h@h "Login succeeded for user"  | rex field=_raw ".*Login succeeded for user: (?<user>.*)" | typer | search NOT tag::user="spss_user"

however, it doesn't appear that anything different has happened. I am still getting both the spss_user and the admin tags.