Solved: Add string to specific value

marco_massari11 · ‎10-22-2021

Hi,

I have a query like this:

index=star eventtype=login-history action=success Username=**

| stats count by Username
| sort - count
| head 10

So in my result I have a list of username with the login count for each one. I know some users are bot, so I want to add a string before the username like BOT_Username, probably with if condition. For example, in my result I have:

Alice 10

Bob 8

Carol 7

David 4

Eddie 2

I know Alice and Bob are bot, so I need:

BOT_Alice 10

BOT_Bob 8

Carol 7

David 4

Eddie 2

Thanks in advance!

somesoni2 · ‎10-22-2021

Do something like this

index=star eventtype=login-history action=success Username=**
| stats count by Username
| sort 10 -count
| eval Username=if(Username="Alice" OR Username="Bob", "BOT_".Username,Username)

Update the if condition per your need.

View solution in original post

somesoni2 · ‎10-22-2021

Do something like this

index=star eventtype=login-history action=success Username=**
| stats count by Username
| sort 10 -count
| eval Username=if(Username="Alice" OR Username="Bob", "BOT_".Username,Username)

Update the if condition per your need.

Add string to specific value

Other

single value

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout