Solved: Re: Hole in my "Bucket" - field value mixes Net_ID...

kkas · ‎06-15-2015

The sourceType I was told to mess with has a "Name" field. The field sometimes holds the value of a users Network ID like johnSmith, but other times it will have a computer_name like RUIOEFJ876V8$. computer_name always ends in a $ sign.

Is it possible to split these into two buckets when tabling my search?

I tried using the regex command, but I'm not sure how to implement it with buckets, so I wanted to check if anyone had any ideas with that way of solving the issue or if they had an opinion of a better way to solve it.

woodcock · ‎06-15-2015

Do it like this:

... | eval type=if(match(Name, ".*\$$"), "computer", "human") | stats count by host,type

View solution in original post

woodcock · ‎06-15-2015

Do it like this:

... | eval type=if(match(Name, ".*\$$"), "computer", "human") | stats count by host,type

Hole in my "Bucket" - field value mixes Net_ID and computer names. Is it possible to split into computer bucket, Network ID bucket?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

Hole in my "Bucket" - field value mixes Net_ID and computer names. Is it possible to split into computer bucket, Network ID bucket?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!