Knowledge Management

How do you tag a field based on a condition?

Path Finder

Good day everyone,

I was wondering if there is a way to tag certain fields based on the value of that specific field.

As an example, we have field "UserID", which includes all users (including admins). However, I want to tag the UserID field as admin if the user is an administrator.

is this possible?

1 Solution

Esteemed Legend

Create a lookup file with all of the administrators IDs in it and a second field called usertype with every row having a value of admin. Then create an automatic lookup that will create a field called usertype with a value of admin for any user who is an admin. Then create a tag for usertype=admin and give it the value of admin.

View solution in original post

Esteemed Legend

Create a lookup file with all of the administrators IDs in it and a second field called usertype with every row having a value of admin. Then create an automatic lookup that will create a field called usertype with a value of admin for any user who is an admin. Then create a tag for usertype=admin and give it the value of admin.

View solution in original post

Path Finder

Thanks for the answer Woodcock, One question though, if i create an automatic lookup then this tag will only work for one source type. am i wrong?
what will happen if i use a search like the following in the "field value pair" when creating an index

index=adsecurity AND UserID=* AND DisplayName="admin"|lookup test userid as userid output DisplayName as Display_Name

0 Karma

Esteemed Legend

There is a hack to apply an automatic lookup to use wildcards. See here:
https://answers.splunk.com/answers/8505/is-it-possible-to-use-wildcards-in-sourcetype-props-conf-sta...

0 Karma