![]() ![]() So, here's one way you can mask the RealLocation with a display "location" by checking to see if the RealLocation is the same as the prior record, using the autoregress function. displayMessage 'User single sign on to app') OR. Have you tried this indexxyz sourcetypeOkta ( (eventTypeuser. ![]() I interpret this as the 2nd scenario in my previous post. when user is on on-prem you will see only one event. You just want to report it in such a way that the Location doesn't appear. Actually when user is on VPN you will see below events. Edit the nf in SPLUNKHOME/etc/system/local/, or your own custom application directory in SPLUNKHOME/etc/apps/. If the destination field matches to an already existing field name, then it overwrites the value of the matched field with the eval expressionâs result. My initial idea was to have individual eventtypes for each operations value. If you are using Splunk Enterprise, you can configure multivalue fields in the nf file to specify how Splunk software detects more than one field value in a single extracted field value. In the simplest words, the Splunk eval command can be used to calculate an expression and puts the value into a destination field. Like eval userappUser.''.appDomain If you (or your users) dont want to have to specify that in every search though, you kind of can concatenate your appUser and appDomain values to. 1 You could find the unique values using for example a pattern like (OU ( a-z+)\b) ( \s\S\1) /r/41bspj/1 if lookaheads are supported. strcat works great for more than two fields as well.Im trying to export each value of the operations field into distinct fields per value. Quick and easy solution would be to use eval or strcat to concatenate the field values together. There are 39 unique values, each with its own unique set of fields. with the eval command to categorize the transactions into: 0 Bounced 0 2-5 pages 0 6-10 pages. Your data actually IS grouped the way you want. The data in field AuditDatakeys in unique based on the values in a field called operations. The transaction command produces two fields: 0 duration. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |