About tags and aliases
In your data, you might have groups of events with related field values. To search more efficiently for these groups of event data, you can assign tags and aliases to your data.
If you tag tens of thousands of items, use field lookups. Using many tags will not affect indexing, but your search has better event categorization when using lookups. For more information on field lookups, see About lookups.
Tags
Tags enable you to assign names to specific field and value combinations, including event type, host, source, or source type.
You can use tags to help you track abstract field values, like IP addresses or ID numbers. For example, you could have an IP address related to your main office with the value 192.168.1.2. Tag that IPaddress value as mainoffice, and then search for that tag to find events with that IP address.
You can use a tag to group a set of field values together, so that you can search for them with one command. For example, you might find that you have two host names that refer to the same computer. You could give both of those values the same tag. When you search for that tag, events that involve both host name values are returned.
You can give extracted fields multiple tags that reflect different aspects of their identity, which enable you to perform tag-based searches to help you narrow the search results.
Tags example
You have an extracted field called IPaddress, which refers to the IP addresses of the data sources within your company intranet. You can tag each IP address based on its functionality or location. You can tag all of your routers' IP addresses as router, and tag each IP address based on its location, for example, SF or Building1. An IP address of a router located in San Francisco inside Building 1 could have the tags router, SF, and Building1.
To search for all routers in San Francisco that are not in Building1, use the following search.
tag=router tag=SF NOT (tag=Building1)
Tags and the search-time operations sequence
When you run a search, Splunk software runs several operations to derive knowledge objects and apply them to events returned by the search. Splunk software performs these operations in a specific sequence.
Search-time operation order
Tags come last in the sequence of search-time operations.
Restrictions
The Splunk software applies tags to field/value pairs in events in ASCII sort order. You can apply tags to any field/value pair in an event, whether it is extracted at index time, search time, or added through some other method, such as an event type, lookup, or calculated field.
For more information
For more information about search-time operations, see search-time operations sequence.
Field aliases
Field aliases enable you to normalize data from multiple sources. You can add multiple aliases to a field name or use these field aliases to normalize different field names. The use of Field aliases does not rename or remove the original field name. When you alias a field, you can search for it with any of its name aliases. You can alias field names in Splunk Web or in props.conf. See Create field aliases in Splunk Web.
You can use aliases to assign different extracted field names to a single field name.
Field aliases for all source types are used in all searches, which can produce a lot of overhead over time.
Field Aliases example
One data model might have a field called http_referrer. This field might be misspelled in your source data as http_referer. Use field aliases to capture the misspelled field in your original source data and map it to the expected field name.
Field aliases and the search-time operations sequence
Search-time operations order
Field aliasing comes fourth in the search-time operations order, before calculated fields but after automatic key-value field extraction.
Restrictions
Splunk software processes field aliases belonging to a specific host, source, or sourcetype in lexicographical order. You can create aliases for fields that are extracted at index time or search time. You cannot create aliases for fields that are added to events by search-time operations that come after the field aliasing process.
For more information
For more information about search-time operations, see search-time operations sequence.
| Use special parameters in workflow actions | Tag field-value pairs in Search |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2
Download manual
Feedback submitted, thanks!