Splunk Enterprise Security
Highlighted

multiple tag eval

New Member

Hi I am creating a rule in enterprise security and am trying to use multiple tags.
| eval tag="prodalert" and
| eval tag="risk
information"

What happens is every time the search runs the second tag overwrites the first tag. What do I need to do differently to use multiple tags in a rule?

Labels (1)
0 Karma
Highlighted

Re: multiple tag eval

SplunkTrust
SplunkTrust

I've never seen tags set at search time. Typically, they're tested at search time using (tag=prod_alert AND tag=risk_information, for example.
Setting tags usually is done via eventtypes, but not a search time.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: multiple tag eval

New Member

Thank you for your comment it made me realize I was going in the wrong direction.

I didn't' need a tag. Instead, I made a search macro and set prod_alert=1 which allows me to search that field.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.