Splunk software provides multiple methods for tag creation and management. Most users use the simplest method tagging field/value pairs directly in search results. See Tag and alias field values in Search.
As a knowledge manager, you can use the Tags page in Settings to manage the tags created by users of your Splunk deployment.
- Manage tags for your Splunk deployment.
- Create tags.
- Disable or delete tags.
Use the Tags pages in Settings to do the following tasks.
Using the Tag page in Settings
The Tags page in Settings gives you three views of your tags. Each view is a different tag organization.
- Field/value pair
- Unique ID.
You can manage your tag collection in different ways and get quick access to associations that are made between tags and field/value pairs. You can create and remove associations between tags.
Managing tag sets associated with specific field/value pairs
From the List by field/value pair page you can review and edit the tag sets that have been associated with particular field/value pairs.
You can use this page to manage the permissions for a field/value combination with tags.
To see the list of tags for a field/value pair, locate the pairing and click on the field/value pair. This opens the associated detail page for that pair.
The following is an example of a set of tags that are defined for the
eventtype=auditd_create field/value pair.
You can add and delete tags from this view, if you have the permissions to do so.
Click New on the List by field/value pair page, to define a set of tags for a field/value pair.
When you create or update a tag list for a field/value pairing, you might create tags, or associate tags with a different kind of field/value pair than they were designed to work with. As a knowledge manager consider using a carefully designed and maintained set of tags. This practice aids with data normalization, and can reduce confusion on the part of your users.
Note: You can verify the existence of a field/value pair that you add to the Tags by field/value pair(s) page. The system does not prevent you from defining a list of tags for a nonexistent field/value pair.
On the List by tag name page in Splunk Web, you can review and edit the sets of field/value pairs that have been associated with specific tags.
You cannot manage permissions for the set of field/value pairs associated with a tag on this page.
You can see the list of field/value pairings for a particular tag. Find the tag in the List by tag name page, and click on the tag name in the Tag name column. This opens the detail page for the tag.
The following is an example of the various field/value pairing that the
modify tag has been associated with.
You can add and delete field/value associations, if you have the permissions to do so.
To define a set of field/value pairings for a tag, click New on the List by tag name page.
When you create or update a set of field/value pairings for a tag, you might create new field/value pairings. You can verify the existence of field/value pairs that you associate with a tag. The system does not prevent you from adding nonexistent field/value associations.
Tags might exist for the purpose you want to address. As a knowledge manager, you should consider sticking to a carefully designed and maintained set of tags. This practice aids with data normalization and can reduce confusion on the part of your users. See Manage knowledge objects through Settings pages.
Reviewing all unique field/value pair and tag combinations
The All unique tag objects page lists out all of the unique tag name and field/value pairings in your system. This page only lets you edit one-to-one relationships between tags and field/value pairs.
You can search for a particular tag to quickly see all of the field/value pairs with which it's associated, or you can disable or clone a particular tag and field/value association, or you can maintain permissions at that level of granularity.
If you have a tag that you no longer want to use, or want to have associated with a particular field/value pairing, you can disable it or remove it.
- Remove a tag association for a specific field/value pair in the search results.
- Bulk disable or delete a tag, even if it is associated to multiple field values, with the List by tag name page.
- Bulk disable or delete the associations between a field/value pair and a set of tags by using the List by field/value pair page.
For information about deleting tag associations with specific field/value pairs in your search results, see Tag field/value pairs in Search.
Delete a tag with multiple field/value pair associations
You can use Splunk Web to remove a tag from your system, even if it is associated with dozens of field/value pairs. This method lets you get rid of all of these associations in one step.
Select Settings > Tags > List by tag name. Delete the tag. If you don't see a delete link for the tag, you don't have permission to delete it. When you delete tags, be aware of downstream dependencies. See Manage knowledge objects through Settings pages.
Note: You can open the edit view for a particular tag and delete a field/value pair association directly.
Use this method to bulk-remove the set of tags that is associated to a field/value pair. This method enables you to get rid of these associations in a single step. It does not remove the field/value pairing from your data, however.
Select Settings > Tags > List by field/value pair. Delete the field/value pair. If you do not see a delete link for the field/value pair, you do not have permission to delete it. When you delete these associations, be aware of downstream dependencies that may be adversely affected by their removal. See Manage knowledge objects through Settings pages.
Note: You can also delete a tag association directly in the edit view for a particular field/value pair.
Depending on your permissions to do so, you can also disable tag and field/value pair associations using the three Tags pages in Settings. When an association between a tag and a field/value pair is disabled, it stays in the system but is inactive until it is enabled again.
Tag field/value pairs in Search
Tag the host field
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2