I am trying to do a search in Splunk that applies only eventtypes that are owned by my account to the events found. The best way I found to do this so far was to tag each eventtype and filter that using tag::eventtype="my_eventtype" which appears to successfully apply only what I asked. The problem is that now the search will filter out any events that the eventtypes do not apply to. I still want to see all of the events that the search finds, but only apply the eventtypes I want to improve efficiency (we have a lot of eventtypes at my company). Is there any way to have search only evaluate certain eventtypes but still show all events found for a search?
If I understand you correctly, you would like your events to ONLY show those eventtypes that are owned by YOU. If so, just add this to the bottom of your search (be sure to replace the <*****INSERT YOUR SPLUNK LOGIN HERE*****>😞
... | eval eventtype = mvfilter(match(eventtype, [| rest/servicesNS/<*****INSERT YOUR SPLUNK LOGIN HERE*****>/-/configs/conf-eventtypes splunk_server=local
| table title
| format "" "" "" "|" "" ""
| rex field=search mode=sed "s/title=//g s/\"//g s/ //g s/^/\"/ s/\|?$/\"/"
| return $search]))
| table eventtype