Tag and alias field values
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Tag and alias field values
In your data, you might have groups of events with related field values. To help you search more efficiently for these groups of fields, you can assign tags to their field values. You can assign one or more tags to any extracted field (including event type, host, source, or source type).
For more information, read "About tags and aliases" in the Knowledge Manager manual.
How to tag and alias field values
Tag field values
You can use Splunk Web to tag any field value directly from the search results. In any resulting event that has the field value that you want to tag, click on the arrow next to that field value. A dropdown menu opens with an option to tag that value. For example, if you selected a syslog source type, you will see:
After you select the Tag action for your field value, you can add the tag or tags in the "Tag this field" popup window:
Alias field names
You can add multiple aliases to a field name or use these field aliases to normalize different field names. This does not rename or remove the original field name. After you alias a field, you can search for it using any of its name aliases. To alias a field name, you need to have access to props.conf. For information on how to do this, see "Create aliases for fields" in the Knowledge Manager manual.
Search for tagged field values
There are two ways to search for tags. If you are searching for a tag associated with a value on any field, you can use the following syntax:
tag=<tagname>Or, if you are looking for a tag associated with a value on a specific field, you can use the following syntax:
tag::<field>=<tagname>Use wildcards to search for tags
You can use the asterisk (*) wildcard when searching keywords and field values, including for eventtypes and tags.
For example, if you have multiple event-type tags for varous types of IP addresses, such as IP-src and IP-dst, you can search for all of them with:
tag::eventtype=IP-*If you wanted to find all hosts whose tags contain "local", you can search for the tag:
tag::host=*local*Also, if you wanted to search for the events with eventtypes that have no tags, you can search for the Boolean expression:
NOT tag::eventtype=*Disabling and deleting tags
If you have a tag that you no longer want to use, or want to have associated with a particular field, you have the option of either disabling it or removing it. You can:
- Remove a tag association for a specific field value through the search UI.
- Delete a tag, even if it is associated to multiple field values, via Splunk Manager.
- Disable a tag association with a specific field value through Splunk Manager
Remove a tag association for a specific field value
If you no longer want to have a tag associated with a specific field value in your search results, click the arrow next to that field/value combination to open up the dropdown menu. Select Tag [fieldname]=[value] to bring up the Tag This Field popup window.
Erase the tag or tags that you want to disable from the Tags field and click Save. This removes this particular tag and field value association from the system. If this is the only field value with which a tag is associated, then the tag is removed from the system.
Delete a tag
You can use Splunk Manager to delete a tag completely. This can be useful if the tag is associated with multiple field values and you just want to get rid of all of these tag associations in one step.
Start by going to Splunk Manager (select Manager in the upper right-hand corner of the screen), navigate to Tags > Tags by Tag Name and delete selected tags there. This method is useful if you want to remove a tag that is associated with multiple field values.
Disable a tag association
You can also disable the association between a tag and a particular field value. After association is disabled, it stays in the system, but is inactive until it is enabled again.
To do this, go to Splunk Manager (select Manager in the upper right-hand corner of the screen), click Tags, and then click either Tags by Field Value or All Tag Objects.
- On Tags by Field Value you can disable all tag associations for a particular field value. Select a field value and click Disable to disable all of its tag associations.
Note: You can also go into the edit view for a particular field value and delete a tag association directly.
- On All Tag Objects, find the tag and field value combination that you would like to disable and click disable.
Rename source types
When you configure a source type in props.conf, you can rename the source type. Multiple source types can share the same name; this can be useful if you want to group a set of source types together for searching purposes. For example, you can normalize source type names that include "-too_small" to remove the classifier. For information on how to do this, see "Rename source types" in the Knowledge Manager manual.
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.