Splunk® Enterprise

Admin Manual

Download manual as PDF

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

tags.conf

The following are the spec and example files for tags.conf.

tags.conf.spec

# Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved.  Version 4.3.1 
#
# This file contains possible attribute/value pairs for configuring tags.  Set any number of tags 
# for indexed or extracted fields.
#
# There is no tags.conf in $SPLUNK_HOME/etc/system/default/.  To set custom configurations, 
# place a tags.conf in $SPLUNK_HOME/etc/system/local/. For help, see tags.conf.example. 
# You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

[<fieldname>=<value>] 
    * The field name and value to which the tags in the stanza apply ( eg host=localhost ).
    * A tags.conf file can contain multiple stanzas. It is recommended that the value be URL encoded to avoid 
    * config file parsing errors especially if the field value contains the following characters: \n, =, []
    * Each stanza can refer to only one field=value
 
<tag1> = <enabled|disabled>
<tag2> = <enabled|disabled>
<tag3> = <enabled|disabled>
    * Set whether each <tag> for this specific <fieldname><value> is enabled or disabled.
    * While you can have multiple tags in a stanza (meaning that multiple tags are assigned to 
	  the same field/value combination), only one tag is allowed per stanza line. In other words, 
	  you can't have a list of tags on one line of the stanza.

    



tags.conf.example

# Copyright (C) 2005-2010 Splunk Inc.  All Rights Reserved.  Version 4.3.1 
#
# This is an example tags.conf.  Use this file to create regexes and rules for transforms.
# Use this file in tandem with props.conf.
#
# To use one or more of these configurations, copy the configuration block into transforms.conf 
# in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
# 
# This first example presents a situation where the field is "host" and the three hostnames for which tags are being defined 
# are "hostswitch," "emailbox," and "devmachine." Each hostname has two tags applied to it, one per line. Note also that
# the "building1" tag has been applied to two hostname values (emailbox and devmachine).

[host=hostswitch]
pci = enabled
cardholder-dest = enabled

[host=emailbox]
email = enabled
building1 = enabled

[host=devmachine]
development = enabled
building1 = enabled

[src_ip=192.168.1.1]
firewall = enabled

[seekPtr=1cb58000]
EOF = enabled
NOT_EOF = disabled

PREVIOUS
sysmon.conf
  NEXT
tenants.conf

This documentation applies to the following versions of Splunk® Enterprise: 4.3.1 View the Article History for its revisions.


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters