Knowledge Management

Evaluate only certain eventtypes by tag


I am trying to do a search in Splunk that applies only eventtypes that are owned by my account to the events found. The best way I found to do this so far was to tag each eventtype and filter that using tag::eventtype="my_eventtype" which appears to successfully apply only what I asked. The problem is that now the search will filter out any events that the eventtypes do not apply to. I still want to see all of the events that the search finds, but only apply the eventtypes I want to improve efficiency (we have a lot of eventtypes at my company). Is there any way to have search only evaluate certain eventtypes but still show all events found for a search?

Esteemed Legend

If I understand you correctly, you would like your events to ONLY show those eventtypes that are owned by YOU. If so, just add this to the bottom of your search (be sure to replace the <*****INSERT YOUR SPLUNK LOGIN HERE*****>😞

... | eval eventtype = mvfilter(match(eventtype, [| rest/servicesNS/<*****INSERT YOUR SPLUNK LOGIN HERE*****>/-/configs/conf-eventtypes splunk_server=local 
| table title 
| format "" "" "" "|" "" "" 
| rex field=search mode=sed "s/title=//g s/\"//g s/ //g s/^/\"/ s/\|?$/\"/"
| return $search]))
| table eventtype
0 Karma

Esteemed Legend

Remove any tag= and/or eventtype= from your search.

0 Karma


@woodcock I'm trying to do something very similar to the question for this post. Any ideas how I would be able to return only results for my specific eventtype?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!