Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Preformatting a constraint field in a swimlane

sheamus69
Communicator
‎06-22-2017 05:50 AM 
Splunk ES: 6.5.2 Splunk 
Enterprise Security: 4.5.1

I am adding a new swimlane to the Identities Investigator and have hit a slight snag.

The new swimlane will be searching a data source where the username is in the following format: [domain][username]

While the name added to Identity Investigator will not generally recieve the domain, just the username.

My swimlane does work if I just use *[username] in Identity Investigator, to wildcard the user field, but this will then require the analyst to remember to wildcard the username, not to mention being inefficient.

Is there a way to preformat the constraint field from within the swimlane to add either the domain or a wildcard before the search begins?

EG

$constraint$ : user=myusername
Datasource user field : mydomain\myusername

So $constraint$ would need to*myusername

Reply

jakmiller
Engager
‎02-17-2018 09:50 AM

I was having this same issue with a swim lane for a host field. I was able to create a field alias that matched the default constraints field and now it works perfectly, not to mention that I now have a standard field name that I can do regular searches against now.
http://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/Addaliasestofields

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...