Splunk Search

search query not filtered by tag command

Communicator

I have created a field using the rex command. I have partioned the field into two parts: admin and spssuser. However when I try to search for non admins (tag!=admin), I still get both admin and nonadmins.

index=spss earliest=-48h@h tag!=admin "Login succeeded for user" | rex field=_raw ".*Login succeeded for user: (?<user>.*)" 

When I replace tag!=admin with tag=admin, I get back no results. I was attempting to follow this video: http://www.splunk.com/view/SP-CAAAGYJ, but I am not having any success.

Thoughts?

Tags (3)
0 Karma
Highlighted

Re: search query not filtered by tag command

Communicator

When alt clicking on the tag spss_user I get the following code

index=spss earliest=-48h@h "Login succeeded for user" NOT tag::user="spss_user" | rex field=_raw ".*Login succeeded for user: (?<user>.*)"

However, when I search by this, I get back both the admin and spss_user tags

0 Karma
Highlighted

Re: search query not filtered by tag command

Splunk Employee
Splunk Employee

Please post the definition of your tag. The tagging would occur behind the scenes before the rex command, so if it is depending upon the value of the rex fields (user), then you'll have to go through some other contortions to get it to work.

0 Karma
Highlighted

Re: search query not filtered by tag command

Communicator

I think you may have something there. Could it be that the tags are being called before the field user is created?

I tried the below command, but it did not work, everything was returned.

index=spss earliest=-48h@h "Login succeeded for user"  | rex field=_raw ".*Login succeeded for user: (?<user>.*)" | search NOT tag::user="spss_user"

Thoughts?

0 Karma
Highlighted

Re: search query not filtered by tag command

Splunk Employee
Splunk Employee

Yes, tags happen before your rex command is run. If you can't add this to the props for the sourcetype, add | typer after your rex, but before your search. This command evaluates eventtypes (upon which tags are based), manually, and would then act on any new fields that were made available by search commands earlier in the pipeline.

0 Karma
Highlighted

Re: search query not filtered by tag command

Communicator

Hmmm... maybe I'm not following you as closely as I thought. I tried the following command

    index=spss earliest=-48h@h "Login succeeded for user"  | rex field=_raw ".*Login succeeded for user: (?<user>.*)" | typer | search NOT tag::user="spss_user"

however, it doesn't appear that anything different has happened. I am still getting both the spss_user and the admin tags.

0 Karma