Knowledge Management

Limit a workflow to a sourcetype

Explorer

Is it possible to only display a workflow on a certain sourcetype?

I have a lookup that takes the "EventCode" field in "WinEventLog:Security" sourcetype. However, this field also exists in Application and System logs, but the site the lookup is going to only has information about Security event.

0 Karma

SplunkTrust
SplunkTrust

Include the sourcetype in your search statement. For example:

sourcetype="WinEventLog:Security" "EventCode" | ...
---
If this reply helps you, an upvote would be appreciated.
0 Karma

Legend

i too believe there is a bug - this worked as documented in versions prior to 6.0

0 Karma

Path Finder

I have been trying to find the same thing.. Sounds like a great feature request

0 Karma

Explorer

"You can set up workflow actions that only apply to events that have a specified field or set of fields. ...you would declare http_status in the Apply only to the following fields setting.

...When more than one field is listed the workflow action is displayed only if the entire list of fields are present in the event."

Based on this information I thought I would be able to accomplish what I want by adding a second field that is not available in the System log, however, no matter what I add here, the workflow action is displayed for ALL events, even ones which do not have either field.

0 Karma

Explorer

Its not a search results issue. I have a workflow set up which has "Apply only to the following fields" set to "EventCode". However, this field is available in Security log events and System log events. I want to limit this action to only show for Security log events.

In doing some additional testing I think there may be a different behavior (bug) in version 6. According to the documentation (http://docs.splunk.com/Documentation/Splunk/6.0/Knowledge/CreateworkflowactionsinSplunkWeb):

0 Karma

SplunkTrust
SplunkTrust

Then you need to adjust your search to select only the events you want to see (or remove those you don't want to see). For example, 'sourcetype="WinEventLog:Security" LogName="Security" | ...'

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Explorer

That doesn't prevent the workflow from displaying in System events.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!