The following are the spec and example files for
Version 8.0.1 This file contains possible attribute/value pairs for configuring tags. Set any number of tags for indexed or extracted fields. There is no tags.conf in $SPLUNK_HOME/etc/system/default/. To set custom configurations, place a tags.conf in $SPLUNK_HOME/etc/system/local/. For examples, see tags.conf.example. You must restart Splunk software to enable configurations. To learn more about configuration files (including precedence) please see the documentation located at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
* The field name and value to which the tags in the stanza apply. For example, host=localhost. * A tags.conf file can contain multiple stanzas. It is recommended that the value be URL encoded to avoid configuration file parsing errors, especially if the field value contains the following characters: \n, =,  * Each stanza can refer to only one field/value pair. <tag1> = <enabled|disabled> <tag2> = <enabled|disabled> <tag3> = <enabled|disabled> * Enable or disable each <tag> for this specific field/value pair. * While you can have multiple tags in a stanza (meaning that multiple tags are assigned to the same field/value combination), only one tag is allowed per stanza line. In other words, you can't have a list of tags on one line of the stanza. * WARNING: Do not put the <tag> value in quotes. For example, use foo=enabled, not "foo"=enabled.
# Version 8.0.1 # # This is an example tags.conf. Use this file to define tags for fields. # # To use one or more of these configurations, copy the configuration block into # tags.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to # enable configurations. # # To learn more about configuration files (including precedence) please see the # documentation located at # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles # # This first example presents a situation where the field is "host" and the # three hostnames for which tags are being defined are "hostswitch," # "emailbox," and "devmachine." Each hostname has two tags applied to it, one # per line. Note also that the "building1" tag has been applied to two hostname # values (emailbox and devmachine). [host=hostswitch] pci = enabled cardholder-dest = enabled [host=emailbox] email = enabled building1 = enabled [host=devmachine] development = enabled building1 = enabled [src_ip=192.168.1.1] firewall = enabled [seekPtr=1cb58000] EOF = enabled NOT_EOF = disabled
This documentation applies to the following versions of Splunk® Enterprise: 8.0.1