Solved: Add string to specific value

marco_massari11 · ‎10-22-2021

Hi,

I have a query like this:

index=star eventtype=login-history action=success Username=**

| stats count by Username
| sort - count
| head 10

So in my result I have a list of username with the login count for each one. I know some users are bot, so I want to add a string before the username like BOT_Username, probably with if condition. For example, in my result I have:

Alice 10

Bob 8

Carol 7

David 4

Eddie 2

I know Alice and Bob are bot, so I need:

BOT_Alice 10

BOT_Bob 8

Carol 7

David 4

Eddie 2

Thanks in advance!

somesoni2 · ‎10-22-2021

Do something like this

index=star eventtype=login-history action=success Username=**
| stats count by Username
| sort 10 -count
| eval Username=if(Username="Alice" OR Username="Bob", "BOT_".Username,Username)

Update the if condition per your need.

View solution in original post

somesoni2 · ‎10-22-2021

Do something like this

index=star eventtype=login-history action=success Username=**
| stats count by Username
| sort 10 -count
| eval Username=if(Username="Alice" OR Username="Bob", "BOT_".Username,Username)

Update the if condition per your need.

Add string to specific value

single value

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

Add string to specific value

single value

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...