
tags
Description
Annotates specified fields in your search results with tags. If there are fields specified, only annotate tags for those fields. Otherwise, look for tags for all fields. If outputfield is specified, the tags for all fields will be written to this field. If outputfield is specified, inclname and inclvalue control whether or not the field name and field values are added to the output field. By default only the tag itself is written to the outputfield, that is (<field>::)?(<value>::)?tag .
Syntax
tags [outputfield=<field>] [inclname=<bool>] [inclvalue=<bool>] <field-list>
Required arguments
- <field-list>
- Syntax: <field> <field> ...
- Description: Specify the fields to annotate with tags.
Optional arguments
- outputfield
- Syntax: outputfield=<field>
- Description: If specified, the tags for all fields will be written to this field. Otherwise, the tags for each field will be written to a field named
tag::<field>
.
- inclname
- Syntax: inclname=T | F
- Description: If outputfield is specified, this controls whether or not the field name is added to the output field. Specify
T
(True) to include the field name. - Default: F
- inclvalue
- Syntax: inclvalue=T | F
- Description: If outputfield is specified, controls whether or not the field value is added to the output field. Specify
T
(True) to include the field value. - Default: F
Usage
The tags
command is a distributable streaming command. See Command types.
Examples
Example 1:
Write tags for host and eventtype fields into tag::host and tag::eventtype.
... | tags host eventtype
Example 2:
Write new field test that contains tags for all fields.
... | tags outputfield=test
Example 3:
Write tags for host and sourcetype into the test
field in the format host::<tag> or sourcetype::<tag>. Include the field name in the output.
... | tags outputfield=test inclname=t host sourcetype
See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the tags command.
PREVIOUS table |
NEXT tail |
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.9, 6.4.10, 6.4.11, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 8.0.0, 6.4.8, 6.5.0, 6.5.1, 6.5.10
Feedback submitted, thanks!