Splunk Enterprise Security

multiple tag eval

metahaxorus
New Member

Hi I am creating a rule in enterprise security and am trying to use multiple tags.
| eval tag="prod_alert" and
| eval tag="risk_information"

What happens is every time the search runs the second tag overwrites the first tag. What do I need to do differently to use multiple tags in a rule?

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

I've never seen tags set at search time. Typically, they're tested at search time using (tag=prod_alert AND tag=risk_information, for example.
Setting tags usually is done via eventtypes, but not a search time.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

metahaxorus
New Member

Thank you for your comment it made me realize I was going in the wrong direction.

I didn't' need a tag. Instead, I made a search macro and set prod_alert=1 which allows me to search that field.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!