In your data, you might have groups of events with related field values. To help you search more efficiently for these particular groups of event data, you can assign tags to their field values. You can assign one or more tags to any field/value combination (including event type, host, or source type).
Note: Only alphanumeric characters, underscores, hyphens and periods are allowed for tags. This is why the source field can not be tagged as it will always include a slash and/or a colon.
You can use tags to:
- Help you track abstract field values, like IP addresses or ID numbers. For example, you could have an IP address related to your main office with the value 192.168.1.2. Tag that
IPaddressvalue as mainoffice, and then search on that tag to find events with that IP address.
- Use one tag to group a set of field values together, so you can search on them with one simple command. For example, you might find that you have two host names that relate to the same computer. You could give both of those values the same tag. When you search on that tag, Splunk returns events involving both host name values.
- Give specific extracted fields multiple tags that reflect different aspects of their identity, which enable you to perform tag-based searches that help you quickly narrow down the results you want. To understand how this could work, see the following example.
Let's say you have an extracted field called
IPaddress, which refers to the IP addresses of the data sources within your company intranet. You can make
IPaddress useful by tagging each IP address based on its functionality or location. You can tag all of your routers' IP addresses as router. You can also tag each IP address based on its location, for example: SF or Building1. An IP address of a router located in San Francisco inside Building 1 could have the tags router, SF, and Building1.
To search for all routers in San Francisco that are not in Building1, you'd search for the following:
tag=router tag=SF NOT (tag=Building1)
Configure workflow actions through workflow_actions.conf
Define and manage tags
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7