About tags

About tags

Tags help you group search results that share field values. A tag is a name that you attach to a group of results that share the same value of a particular extracted field or indexed field (such as a host, source, or sourcetype). Apply any number of tags to any extracted field, event type, host, or source (Learn how to tag fields), with the exception of sourcetypes (see Source type aliases, below).

You can use tags to:

• Help you track abstract field values, like IP addresses or ID numbers. For example, you could have an IP address related to your main office with the value 192.168.1.2. Tag that IPaddress value as mainoffice, and then search on that tag to find events with that IP address.
• Use one tag to group a set of field values together, so you can search on them with one simple command. For example, you might find that you have two host names that relate to the same computer. You could give both of those values the same tag. When you search on that tag, Splunk returns events involving both host name values.
• Give specific extracted fields multiple tags that reflect different aspects of their identity, which enable you to perform tag-based searches that help you quickly narrow down the results you want. To understand how this could work, see the following example.

Example:

Let's say you have an extracted field called IPaddress, which refers to the IP addresses of the data sources within your company intranet. You can make IPaddress useful by tagging each IP address based on its functionality or location. You can tag all of your routers' IP addresses as router. You can also tag each IP address based on its location, for example: SF or Building1. An IP address of a router located in San Francisco inside Building 1 could have the tags router, SF, and Building1.

To search for all routers in San Francisco that are not in building 1, you'd search for the following:

For another example of using tags to search, you can watch this Splunk developer video.

Source type aliases

Source type aliases are similar to tags with the exception that you can only apply a single alias to a specific source type (though you can apply the same alias to a set of source types). Read more about sourcetype aliasing.

Search for events containing tags

Search for tags by using the tag search modifier. The following examples show you how to search for indexed fields (such as hosts, sources, or sourcetypes) using the tag modifier.

When you tag a host, source, or sourcetype, Splunk adds the tag next to the value in the main dashboard. Search using the tags in the main dashboard by clicking on them. If you're searching for a host tag, Splunk adds hosttag="tagname" in the search bar when you click on a host tag, and it adds tag::source="tagname" to the search bar when you click on a source tag.

The following two examples are equivalent, and search for events that have host field values associated with the tag "public." This might indicate hosts which are accessible from the internet directly.

tag::field=tag

Example:

tag::field::tag

Example:

This example would return all events with field values that have been tagged with "public." It would return all of the events found in the preceding two examples, as well as any other events with fields whose values were tagged with "public." Perhaps this might bring back events from services which are accessible from the internet as well as all data from hosts tagged the same way.

tag=tag

Example:

Configure tags

The tags.conf file holds all of the tag definitions that you create through Splunk Web. You can use tags.conf to add or remove tags directly, create tag backups, and share sets of tags among Splunk servers. Learn how to configure tags via tags.conf.

Configure roles for tagging

Your role configuration and those of others can include specific role-based tagging capabilities. A Splunk administrator must define the ability to create, edit, or delete tags in your role configuration by editing authorize.conf.

• Was this topic useful?
• Post a comment