Documentation > Splunk > Admin Manual > tags.conf

Admin Manual

 


About the Splunk Admin Manual
How Splunk Works
Getting Started
Data Inputs
Data Distribution
Indexing
Timestamps
Fields
Hosts
Source Types
Event Types
Transaction Types
Search
Distributed Search
Alerts
Security
Data Management
Deployment Server
Performance Tuning
Configuration Files
Applications
Reference
Troubleshooting

tags.conf

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

tags.conf

tags.conf.spec 

# Copyright (C) 2005-2008 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This file contains possible attribute/value pairs for configuring tags.  Set any number of tags 
# for indexed or extracted fields.
#
# There is no tags.conf in $SPLUNK_HOME/etc/system/default/.  To set custom configurations, 
# place a tags.conf in $SPLUNK_HOME/etc/system/local/. For help, see tags.conf.example. 
# You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork.
[<fieldname>] 
    * The field name to which the tags in the stanza apply ( eg host, source, ip ).
    * A tags.conf file can contain multiple stanzas. 
    * Each stanza can refer to only one field name.
 
tag::<value1>::<tag1> = <enabled|disabled>
tag::<value1>::<tag2> = <enabled|disabled>
tag::<value2>::<tag2> = <enabled|disabled>
tag::<value2>::<tag3> = <enabled|disabled>
    * Set whether each <tag> for a specific <value> of the field <fieldname> is enabled or disabled.
    * <value> is any possible value of field <fieldname>.
    * Only one tag is allowed per stanza line.

tags.conf.example 

# Copyright (C) 2005-2008 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This is an example of a tags.conf file.  Use this file to create, disable, and delete tags for field values.
# Use this file in tandem with props.conf.
#
# To use one or more of these configurations, copy the configuration block into tags.conf 
# in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to enable configurations and configuration changes.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork.
# 
# This first example presents a situation where the field is "host" and the three hostnames for which tags are being defined 
# are "hostswitch," "emailbox," and "devmachine." Each hostname has two tags applied to it, one per line. Note also that
# the "building1" tag has been applied to two hostname values (emailbox and devmachine).
[host]
tag::hostswitch::pci = enabled
tag::hostswitch::cardholder-dest = enabled
tag::emailbox::email = enabled
tag::emailbox::building1 = enabled
tag::devmachine::development = enabled
tag::devmachine::building1 = enabled
[src_ip]
tag::192.168.1.1::firewall = enabled
[seekPtr]
tag::1cb58000::EOF = enabled
tag::1d158000::NOT_EOF = disabled
Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.4.11/Admin/Tagsconf"

This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!