Solved: Hole in my "Bucket" - field value mixes Net_ID and...

kkas · ‎06-15-2015

The sourceType I was told to mess with has a "Name" field. The field sometimes holds the value of a users Network ID like johnSmith, but other times it will have a computer_name like RUIOEFJ876V8$. computer_name always ends in a $ sign.

Is it possible to split these into two buckets when tabling my search?

I tried using the regex command, but I'm not sure how to implement it with buckets, so I wanted to check if anyone had any ideas with that way of solving the issue or if they had an opinion of a better way to solve it.

woodcock · ‎06-15-2015

Do it like this:

... | eval type=if(match(Name, ".*\$$"), "computer", "human") | stats count by host,type

View solution in original post

woodcock · ‎06-15-2015

Do it like this:

... | eval type=if(match(Name, ".*\$$"), "computer", "human") | stats count by host,type

Hole in my "Bucket" - field value mixes Net_ID and computer names. Is it possible to split into computer bucket, Network ID bucket?

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

Hole in my "Bucket" - field value mixes Net_ID and computer names. Is it possible to split into computer bucket, Network ID bucket?

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey