Knowledge Management

Evaluate only certain eventtypes by tag

ihpyr4
Engager

I am trying to do a search in Splunk that applies only eventtypes that are owned by my account to the events found. The best way I found to do this so far was to tag each eventtype and filter that using tag::eventtype="my_eventtype" which appears to successfully apply only what I asked. The problem is that now the search will filter out any events that the eventtypes do not apply to. I still want to see all of the events that the search finds, but only apply the eventtypes I want to improve efficiency (we have a lot of eventtypes at my company). Is there any way to have search only evaluate certain eventtypes but still show all events found for a search?

woodcock
Esteemed Legend

If I understand you correctly, you would like your events to ONLY show those eventtypes that are owned by YOU. If so, just add this to the bottom of your search (be sure to replace the <*****INSERT YOUR SPLUNK LOGIN HERE*****>😞

... | eval eventtype = mvfilter(match(eventtype, [| rest/servicesNS/<*****INSERT YOUR SPLUNK LOGIN HERE*****>/-/configs/conf-eventtypes splunk_server=local 
| table title 
| format "" "" "" "|" "" "" 
| rex field=search mode=sed "s/title=//g s/\"//g s/ //g s/^/\"/ s/\|?$/\"/"
| return $search]))
| table eventtype
0 Karma

woodcock
Esteemed Legend

Remove any tag= and/or eventtype= from your search.

0 Karma

johnward4
Communicator

@woodcock I'm trying to do something very similar to the question for this post. Any ideas how I would be able to return only results for my specific eventtype? https://answers.splunk.com/answers/762805/help-searching-using-eventtype-and-tags.html?childToView=7...

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...