I have created a field using the rex command. I have partioned the field into two parts: admin and spss_user. However when I try to search for non admins (tag!=admin), I still get both admin and non_admins.
index=spss earliest=-48h@h tag!=admin "Login succeeded for user" | rex field=_raw ".*Login succeeded for user: (?<user>.*)"
When I replace tag!=admin with tag=admin, I get back no results. I was attempting to follow this video: http://www.splunk.com/view/SP-CAAAGYJ, but I am not having any success.
Thoughts?
Yes, tags happen before your rex command is run. If you can't add this to the props for the sourcetype, add | typer after your rex, but before your search. This command evaluates eventtypes (upon which tags are based), manually, and would then act on any new fields that were made available by search commands earlier in the pipeline.
Hmmm... maybe I'm not following you as closely as I thought. I tried the following command
index=spss earliest=-48h@h "Login succeeded for user" | rex field=_raw ".*Login succeeded for user: (?<user>.*)" | typer | search NOT tag::user="spss_user"
however, it doesn't appear that anything different has happened. I am still getting both the spss_user and the admin tags.
Please post the definition of your tag. The tagging would occur behind the scenes before the rex command, so if it is depending upon the value of the rex fields (user), then you'll have to go through some other contortions to get it to work.
I think you may have something there. Could it be that the tags are being called before the field user is created?
I tried the below command, but it did not work, everything was returned.
index=spss earliest=-48h@h "Login succeeded for user" | rex field=_raw ".*Login succeeded for user: (?<user>.*)" | search NOT tag::user="spss_user"
Thoughts?
When alt clicking on the tag spss_user I get the following code
index=spss earliest=-48h@h "Login succeeded for user" NOT tag::user="spss_user" | rex field=_raw ".*Login succeeded for user: (?<user>.*)"
However, when I search by this, I get back both the admin and spss_user tags