Splunk Search

search query not filtered by tag command

Splunkster45
Communicator

I have created a field using the rex command. I have partioned the field into two parts: admin and spss_user. However when I try to search for non admins (tag!=admin), I still get both admin and non_admins.

index=spss earliest=-48h@h tag!=admin "Login succeeded for user" | rex field=_raw ".*Login succeeded for user: (?<user>.*)" 

When I replace tag!=admin with tag=admin, I get back no results. I was attempting to follow this video: http://www.splunk.com/view/SP-CAAAGYJ, but I am not having any success.

Thoughts?

Tags (3)
0 Karma

sowings
Splunk Employee
Splunk Employee

Yes, tags happen before your rex command is run. If you can't add this to the props for the sourcetype, add | typer after your rex, but before your search. This command evaluates eventtypes (upon which tags are based), manually, and would then act on any new fields that were made available by search commands earlier in the pipeline.

0 Karma

Splunkster45
Communicator

Hmmm... maybe I'm not following you as closely as I thought. I tried the following command

    index=spss earliest=-48h@h "Login succeeded for user"  | rex field=_raw ".*Login succeeded for user: (?<user>.*)" | typer | search NOT tag::user="spss_user"

however, it doesn't appear that anything different has happened. I am still getting both the spss_user and the admin tags.

0 Karma

sowings
Splunk Employee
Splunk Employee

Please post the definition of your tag. The tagging would occur behind the scenes before the rex command, so if it is depending upon the value of the rex fields (user), then you'll have to go through some other contortions to get it to work.

0 Karma

Splunkster45
Communicator

I think you may have something there. Could it be that the tags are being called before the field user is created?

I tried the below command, but it did not work, everything was returned.

index=spss earliest=-48h@h "Login succeeded for user"  | rex field=_raw ".*Login succeeded for user: (?<user>.*)" | search NOT tag::user="spss_user"

Thoughts?

0 Karma

Splunkster45
Communicator

When alt clicking on the tag spss_user I get the following code

index=spss earliest=-48h@h "Login succeeded for user" NOT tag::user="spss_user" | rex field=_raw ".*Login succeeded for user: (?<user>.*)"

However, when I search by this, I get back both the admin and spss_user tags

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...