Tag field values (including: event types, hosts, and sources)

Tag field values (including: event types, hosts, and sources)

You can tag a specific value of any indexed or extracted field using the following procedure.

To tag a field value:

1. Click the drop-down arrow next to any field value of a search result.

2. Choose Tag field name from the menu to bring up the tagging dialog.

3. Enter the tags you want in the "tags" field of the dialog (separated by commas or spaces).

Note: Tag names can't contain spaces.

Splunk displays tags you create for field values in italics next to the value that they are tagging.

For example, you can tag a value of the field date_year with the tags "date" and "year". First, follow the instructions to tag a field value. Enter the tags "date" and "year" in a space-delimited list (date year) in the Tags field of the tagging dialog box. For search results that contain the tagged date_year field value, Splunk displays the tags date and year next to that value.

Tag hosts or sources

You can tag specific hosts or sources in the same way that you tag field values (because hosts and sources are values of the host and source fields, respectively). Tag any host or source with one or more words describing its function or type to enable users to easily search for all activity on a group of similar servers. Once you tag a specific host or source, Splunk applies the same tag to every occurrence of that host or source in your system.

To tag a host or source:

1. Click the drop-down arrow next to the host or source value of any search result.

2. Choose Tag host from the menu to bring up the tagging dialog.

3. Enter the tags you want in the "tags" field of the dialog (separated by commas or spaces).

Once you tag a host or source, Splunk adds the tag next to the tagged host or source value in the main dashboard.

Host tags vs. host names

A host name is extracted at index time. Each event can have only one host name, but multiple host tags. With host tags, you can create a loose grouping of data without masking the underlying host name. For example, if your Splunk server is receiving compliance data from a specific host, tagging that host with compliance will help your compliance searches.

Tag event types

You can tag event types the same way that you tag any other field (because event types are values of the eventtype field). Tagging event types allows you to create higher level classifications for similar events from different sources. For example, you can tag "logouts" for events that cross different logout event types from different applications.

Any event type can have multiple tags. For example, tag all firewall events as firewall, tag a subset as deny and tag another subset as allow. Once you tag an event of a certain type, Splunk applies the same tag to every occurrence of that event type in your system.

Tag an event type:

Note: Make sure you have selected the eventtype field from the Fields picker.

1. Click on the drop-down arrow next to the eventtype field.

2. Select Tag event type.

3. Enter the tags you want in the "tags" field of the dialog (separated by commas or spaces).

After you tag an event type, search for it using the eventtypetag search modifier. For example, search for the event type tag "application_database."

Methodologies for host and event type tag management

Splunk provides a Common Information Model that you can use to help your organization define a standardized tag management methodology for host and event type values.

For example, it suggests that every event type should have at minimum a single tag assigned from each of three categories: object tags, action tags, and status tags. This combination of tags enables a precise type classification. Using this method, a failed database login event type could have the tags database (object tag), authentication verify (action tag), and failure (status tag). For more information, see the Common Information Model subtopic on standard event type tags.

• Was this topic useful?
• Post a comment