Knowledge Management

How do you tag a field based on a condition?

mpasha
Path Finder

Good day everyone,

I was wondering if there is a way to tag certain fields based on the value of that specific field.

As an example, we have field "UserID", which includes all users (including admins). However, I want to tag the UserID field as admin if the user is an administrator.

is this possible?

1 Solution

woodcock
Esteemed Legend

Create a lookup file with all of the administrators IDs in it and a second field called usertype with every row having a value of admin. Then create an automatic lookup that will create a field called usertype with a value of admin for any user who is an admin. Then create a tag for usertype=admin and give it the value of admin.

View solution in original post

woodcock
Esteemed Legend

Create a lookup file with all of the administrators IDs in it and a second field called usertype with every row having a value of admin. Then create an automatic lookup that will create a field called usertype with a value of admin for any user who is an admin. Then create a tag for usertype=admin and give it the value of admin.

View solution in original post

mpasha
Path Finder

Thanks for the answer Woodcock, One question though, if i create an automatic lookup then this tag will only work for one source type. am i wrong?
what will happen if i use a search like the following in the "field value pair" when creating an index

index=adsecurity AND UserID=* AND Display_Name="admin"|lookup test userid as userid output Display_Name as Display_Name

0 Karma

woodcock
Esteemed Legend

There is a hack to apply an automatic lookup to use wildcards. See here:
https://answers.splunk.com/answers/8505/is-it-possible-to-use-wildcards-in-sourcetype-props-conf-sta...

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!