Dashboards & Visualizations

Add string to specific value

marco_massari11
Communicator

Hi,

I have a query like this:

index=star eventtype=login-history action=success Username=**

| stats count by Username
| sort - count
| head 10

So in my result I have a list of username with the login count for each one. I know some users are bot, so I want to add a string before the username like BOT_Username, probably with if condition. For example, in my result I have:

Alice  10

Bob   8

Carol    7

David   4

Eddie  2

I know Alice and Bob are bot, so I need:

BOT_Alice  10

BOT_Bob   8

Carol    7

David   4

Eddie  2

Thanks in advance!

 

Labels (2)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Do something like this

index=star eventtype=login-history action=success Username=**
| stats count by Username
| sort 10 -count
| eval Username=if(Username="Alice" OR Username="Bob", "BOT_".Username,Username)

 Update the if condition per your need.

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Do something like this

index=star eventtype=login-history action=success Username=**
| stats count by Username
| sort 10 -count
| eval Username=if(Username="Alice" OR Username="Bob", "BOT_".Username,Username)

 Update the if condition per your need.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...