Splunk® Enterprise

Knowledge Manager Manual

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Define and manage tags in Settings

Splunk software provides multiple methods for tag creation and management. Most users use the simplest method tagging field-value pairs directly in search results. See Tag and alias field values in Search.

Use the Tags page in Settings to manage the tags created by users of your Splunk deployment.

  • Manage tags for your Splunk deployment.
  • Create tags.
  • Disable or delete tags.

Using the Tags page in Settings

The Tags page in Settings gives you three views of your tags. Each view is a different tag organization.

  • List by field value pair
  • List by tag name
  • All unique tag objects

Use these pages to create, edit, or delete tags, and manage the sets of tags that are associated with specific field-value pairs or apps.

Before you create new field-value pair records on the Settings pages for tags, verify that the field-value pairs exist in your data. The Splunk platform does not perform validation to ensure that you are not associating tags to nonexistent field-value pairs.

Managing associations between field-value pairs and tag sets

The List by field-value pair page lists the field-value pairs that are associated with tag sets. On this page you can perform the following actions if the permissions associated with your role allow it:

  • Create a new field-value pair record. Click New to provide a field-value pair and one or more tag names.
  • Edit the list of tags that are associated with a field-value pair. Click a field-value pair name and add or remove tag names.
  • Update permissions for a field-value pair. Click Permissions. The Splunk platform applies field-value pair permission updates to all tags associated with the pair.
  • Disable all tags associated with a field-value pair. If you need to remove tags from your search results without deleting them, disable them instead.
  • Clone, Move, or Delete an association between a field-value pair and a set of tags.

The List by field-value pair page breaks out field-value pairs by app. If you have the same field-value pair in multiple apps, it appears on multiple rows of the List by field-value pair page. This means you can apply a change to the association between a field-value pair and a set of tags in one app without affecting field-value pairs or tags in other apps..

For example, say you have the same field-value pair in the Search & Reporting and Enterprise Security apps, and in both apps it is associated with the same two tags: tag-a and tag-b. If you disable the association between the field-value pair and the two tags in the Search & Reporting app, the field-value pair will continue to be associated with the tag-a and tag-b in the ES app.

As a knowledge manager, consider using a carefully designed and maintained set of tags. This practice aids with data normalization, and can reduce confusion on the part of your users.

See Manage knowledge objects through Settings pages.

Managing associations between tags and sets of field-value pairs

The List by tag name page lists each of the tags that are in your Splunk platform deployment. It lists each tag once, even if the tag appears in multiple apps or is associated with multiple field-value pairs.

On this page you can perform the following actions if the permissions associated with your role allow it:

  • Create new tags. Click New to define a tag name and provide a field-value pair.
  • Edit the field-value pair lists for tags. Click the tag name to add, remove, or edit the field-value pairs that are associated with a tag.
  • Clone or Delete tags.
  • Disable tags.

When you disable a tag through the List by tag name page, the Splunk platform disables the tag across all apps that contain the tag. The row for the disabled tag also disappears from the list. To reenable disabled tags, go to the List by field-value pair page, locate the related field-value pair, and add the name of the disabled tag to it.

The List by tag name page does not allow you to manage permissions for the set of field-value pairs associated with a tag.

As a knowledge manager, consider using a carefully designed and maintained set of tags. This practice aids with data normalization, and can reduce confusion on the part of your users.

See Manage knowledge objects through Settings pages.

Reviewing all unique field-value pair and tag combinations

The All unique tag objects page lists out all of the unique tag name, field-value pairing, and app combinations in your deployment. This page lets you edit one-to-one relationships between tags and field-value pairs. If a tag object is identical to tag objects in other apps, it will appear multiple times in this list, once for each app.

You can search for a particular tag to quickly see all of the field-value pairs with which it's associated, or you can disable or clone a particular tag and field-value association, or you can maintain permissions at that level of granularity.

Disabling and deleting tags

If you have a tag that you no longer want to use, or want to have associated with a particular field-value pairing, you can disable it or remove it.

  • Remove a tag association for a specific field-value pair in the search results.
  • Bulk disable or delete a tag, even if it is associated to multiple field values, with the List by tag name page.
  • Bulk disable or delete the associations between a field-value pair and a set of tags by using the List by field-value pair page.

For information about deleting tag associations with specific field-value pairs in your search results, see Tag field-value pairs in Search.

Delete a tag with multiple field-value pair associations

You can use Splunk Web to remove a tag from your system, even if it is associated with dozens of field-value pairs. This method lets you get rid of all of these associations in one step.

Select Settings > Tags > List by tag name. Delete the tag. If you don't see a delete link for the tag, you don't have permission to delete it. When you delete tags, be aware of downstream dependencies. See Manage knowledge objects through Settings pages.

You can open the edit view for a particular tag and delete a field-value pair association directly.

Disable or delete the associations between a field-value pairing and a set of tags

Use this method to bulk-remove the set of tags that is associated to a field-value pair. This method enables you to get rid of these associations in a single step. It does not remove the field-value pairing from your data, however.

Select Settings > Tags > List by field-value pair. Delete the field-value pair. If you do not see a delete link for the field-value pair, you do not have permission to delete it. When you delete these associations, be aware of downstream dependencies that may be adversely affected by their removal. See Manage knowledge objects through Settings pages.

You can also delete a tag association directly in the edit view for a particular field-value pair.

Disable tags

Depending on your permissions to do so, you can also disable tag and field-value pair associations using the three Tags pages in Settings. When an association between a tag and a field-value pair is disabled, it stays in the system but is inactive until it is enabled again.

When you disable a tag through the List by tag name page, the Splunk platform disables the tag across all apps that contain the tag. The row for the disabled tag also disappears from the list. To reenable disabled tags, go to the List by field-value pair page, locate the related field-value pair, and add the name of the disabled tag to it.

Last modified on 06 June, 2019
Tag field-value pairs in Search   Tag the host field

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 8.1.10, 8.1.12, 8.1.13, 8.1.14


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters