Evaluate only certain eventtypes by tag

ihpyr4 · ‎06-28-2018

I am trying to do a search in Splunk that applies only eventtypes that are owned by my account to the events found. The best way I found to do this so far was to tag each eventtype and filter that using tag::eventtype="my_eventtype" which appears to successfully apply only what I asked. The problem is that now the search will filter out any events that the eventtypes do not apply to. I still want to see all of the events that the search finds, but only apply the eventtypes I want to improve efficiency (we have a lot of eventtypes at my company). Is there any way to have search only evaluate certain eventtypes but still show all events found for a search?

woodcock · ‎08-05-2019

If I understand you correctly, you would like your events to ONLY show those eventtypes that are owned by YOU. If so, just add this to the bottom of your search (be sure to replace the <*****INSERT YOUR SPLUNK LOGIN HERE*****>😞

... | eval eventtype = mvfilter(match(eventtype, [| rest/servicesNS/<*****INSERT YOUR SPLUNK LOGIN HERE*****>/-/configs/conf-eventtypes splunk_server=local 
| table title 
| format "" "" "" "|" "" "" 
| rex field=search mode=sed "s/title=//g s/\"//g s/ //g s/^/\"/ s/\|?$/\"/"
| return $search]))
| table eventtype

woodcock · ‎06-29-2018

Remove any tag= and/or eventtype= from your search.

johnward4 · ‎08-05-2019

@woodcock I'm trying to do something very similar to the question for this post. Any ideas how I would be able to return only results for my specific eventtype? https://answers.splunk.com/answers/762805/help-searching-using-eventtype-and-tags.html?childToView=7...

Evaluate only certain eventtypes by tag

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability

Introducing the Splunk Community Dashboard Challenge!