Splunk Enterprise Security

Preformatting a constraint field in a swimlane

Splunk ES: 6.5.2 Splunk 
Enterprise Security: 4.5.1

I am adding a new swimlane to the Identities Investigator and have hit a slight snag.

The new swimlane will be searching a data source where the username is in the following format: [domain][username]

While the name added to Identity Investigator will not generally recieve the domain, just the username.

My swimlane does work if I just use *[username] in Identity Investigator, to wildcard the user field, but this will then require the analyst to remember to wildcard the username, not to mention being inefficient.

Is there a way to preformat the constraint field from within the swimlane to add either the domain or a wildcard before the search begins?


$constraint$ : user=myusername
Datasource user field : mydomain\myusername

So $constraint$ would need to*myusername


I was having this same issue with a swim lane for a host field. I was able to create a field alias that matched the default constraints field and now it works perfectly, not to mention that I now have a standard field name that I can do regular searches against now.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...