Solved: How do you tag a field based on a condition?

mpasha · ‎02-01-2019

Good day everyone,

I was wondering if there is a way to tag certain fields based on the value of that specific field.

As an example, we have field "UserID", which includes all users (including admins). However, I want to tag the UserID field as admin if the user is an administrator.

is this possible?

woodcock · ‎02-01-2019

Create a lookup file with all of the administrators IDs in it and a second field called usertype with every row having a value of admin. Then create an automatic lookup that will create a field called usertype with a value of admin for any user who is an admin. Then create a tag for usertype=admin and give it the value of admin.

View solution in original post

woodcock · ‎02-01-2019

Create a lookup file with all of the administrators IDs in it and a second field called usertype with every row having a value of admin. Then create an automatic lookup that will create a field called usertype with a value of admin for any user who is an admin. Then create a tag for usertype=admin and give it the value of admin.

mpasha · ‎02-01-2019

Thanks for the answer Woodcock, One question though, if i create an automatic lookup then this tag will only work for one source type. am i wrong?
what will happen if i use a search like the following in the "field value pair" when creating an index

index=adsecurity AND UserID=* AND Display_Name="admin"|lookup test userid as userid output Display_Name as Display_Name

woodcock · ‎02-02-2019

There is a hack to apply an automatic lookup to use wildcards. See here:
https://answers.splunk.com/answers/8505/is-it-possible-to-use-wildcards-in-sourcetype-props-conf-sta...

How do you tag a field based on a condition?

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update