Solved: Add string to specific value

marco_massari11 · ‎10-22-2021

Hi,

I have a query like this:

index=star eventtype=login-history action=success Username=**

| stats count by Username
| sort - count
| head 10

So in my result I have a list of username with the login count for each one. I know some users are bot, so I want to add a string before the username like BOT_Username, probably with if condition. For example, in my result I have:

Alice 10

Bob 8

Carol 7

David 4

Eddie 2

I know Alice and Bob are bot, so I need:

BOT_Alice 10

BOT_Bob 8

Carol 7

David 4

Eddie 2

Thanks in advance!

somesoni2 · ‎10-22-2021

Do something like this

index=star eventtype=login-history action=success Username=**
| stats count by Username
| sort 10 -count
| eval Username=if(Username="Alice" OR Username="Bob", "BOT_".Username,Username)

Update the if condition per your need.

View solution in original post

somesoni2 · ‎10-22-2021

Do something like this

index=star eventtype=login-history action=success Username=**
| stats count by Username
| sort 10 -count
| eval Username=if(Username="Alice" OR Username="Bob", "BOT_".Username,Username)

Update the if condition per your need.

Add string to specific value

single value

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation