Splunk® Enterprise

Knowledge Manager Manual

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Tag and alias field values in Splunk Web

In your data, you might have groups of events with related field values. To help you search more efficiently for these groups of fields, you can assign tags to their field values. You can assign one or more tags to any extracted field (including event type, host, source, or source type).

For more information, read "About tags and aliases" in the Knowledge Manager manual.

How to tag and alias field values

You can tag field/value pairs. You can also alias field names.

Tag field value pairs

You can use Splunk Web to tag any field value pair directly from the search results.

1. Locate an event with a field value pair that you would like to tag.

2. Open the event by clicking on the arrow in the i column to see the full list of fields extracted from the event.

3. Click the Actions arrow for the field value pair that you would like to create a tag for and select Edit Actions.

This opens the Create Actions dialog.

6.1.x open event to create tag.png

4. In the Create Actions dialog, define one or more Tag(s) for the field value pair.

Values for the Tags field must not be enclosed within double quotes.

6.1.x create tags modal.png

5. Click Save to save the tag.

Removing URL-encoded values from tag definitions

When you tag a field value pair, "value" part of the pair cannot be URL-encoded. If your tag has any %## format URL-encoding, decode it and then save the tag with the decoded URL.

For example, say you want to give this field value pair the tag "Useful":


1. Create and save the tag in Splunk Web.

2. Navigate to Settings > Tags > List by tag name and click on the Useful tag name to open the detail page for that tag.

3. Under Field value pair replace url=http%3A%2F%2Fdocs.splunk.com%2FDocumentation with the decoded version: url=http://docs.splunk.com/Documentation.

4. Click Save to save your changes.

See "Define and manage tags" for more information about using the Settings pages for tags.

Alias field names

You can add multiple aliases to a field name or use these field aliases to normalize different field names. This does not rename or remove the original field name. After you alias a field, you can search for it using any of its name aliases. To alias a field name, you need to have access to props.conf. For information on how to do this, see "Create aliases for fields" in the Knowledge Manager manual.

Search for tagged field values

There are two ways to search for tags. If you are searching for a tag associated with a value on any field, you can use the following syntax:


Or, if you are looking for a tag associated with a value on a specific field, you can use the following syntax:


Use wildcards to search for tags

You can use the asterisk (*) wildcard when searching keywords and field values, including for eventtypes and tags.

For example, if you have multiple event-type tags for various types of IP addresses, such as IP-src and IP-dst, you can search for all of them with:


If you wanted to find all hosts whose tags contain "local", you can search for the tag:


Also, if you wanted to search for the events with eventtypes that have no tags, you can search for the Boolean expression:

NOT tag::eventtype=*

Disabling and deleting tags

If you have a tag that you no longer want to use, or want to have associated with a particular field, you have the option of either disabling it or removing it. You can:

  • Remove a tag association for a specific field value through the Search app.
  • Disable or delete tags, even if they are associated with multiple field values, via Splunk Web.

For more information about using Splunk Web to manage tags, see "Define and manage tags" in the Knowledge Manager manual.

Remove a tag association for a specific field value in search results

If you no longer want to have a tag associated with a specific field value in your search results, click the arrow next to that event, then under Actions click on the arrow next to that field value, then select Edit Tags to bring up the Create Tags popup window.

Erase the tag or tags that you want to disable from the Tags field and click Save. This removes this particular tag and field value association from the system. If this is the only field value with which a tag is associated, then the tag is removed from the system.

Rename source types

When you configure a source type in props.conf, you can rename the source type. Multiple source types can share the same name; this can be useful if you want to group a set of source types together for searching purposes. For example, you can normalize source type names that include "-too_small" to remove the classifier. For information on how to do this, see "Rename source types" in the Getting Data In Manual.

Last modified on 14 September, 2016
About tags and aliases
Define and manage tags in Settings

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters