Databases Reference
In-Depth Information
With the menu now visible, we can tag this value of the
user
field:
We are presented with the
Tag This Field
dialog as shown in the following
screenshot. Let's tag
user=jacky
with
admin
:
We now see our tag next to this field:
Once this is done, follow the steps used for
user=jacky
for
user=linda
.
With these two users tagged, we can search for the tag value instead of the
actual usernames:
sourcetype="impl_splunk_gen" tag::user="admin"
Under the covers, this query is unrolled into exactly the same query we started
with. The advantage is that if this tag is added to new values or removed from
existing ones, no queries have to be updated.
Search WWH ::
Custom Search