We are trying to setup a sysevent filter for the name attributre. We have more than 1 name attribute and have setup the filter like this:
filter_data = name=login&name=logout&name=login.failed&name=impersonation.start&name=impersonation.end&name=security.elevated_role.enabled&name=security.elevated_role.disabled
But, it doesn't work as expected.
The issue we saw appears to be that you can’t specify multiple values for the same column name using the &. So name=login&parm1=myid works but name=login&name=logout (repeating the same column multiple times) does not. The url would need to specify a list of values for the name column instead of repeating it.
What is the proper syntax for adding the filters?
As of this writing, the filter implementation only support "&(AND)" operator and no OR. This poses a limit in various use-cases.
According to the doc, https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Configureinputs which gives us hints that it accepts different key names in the filter.
{ Enter filters, in key-value pairs for indexing selected data from the table. For example, key1=value1&key2=value2. By default, there is no filter. }
You may want to share your ideas and concerns via https://ideas.splunk.com .
Hope it helps.
As of this writing, the filter implementation only support "&(AND)" operator and no OR. This poses a limit in various use-cases.
According to the doc, https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Configureinputs which gives us hints that it accepts different key names in the filter.
{ Enter filters, in key-value pairs for indexing selected data from the table. For example, key1=value1&key2=value2. By default, there is no filter. }
You may want to share your ideas and concerns via https://ideas.splunk.com .
Hope it helps.