Splunk® Enterprise

Search Reference

Splunk Enterprise version 8.0 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

tags

Description

Annotates specified fields in your search results with tags. If there are fields specified, only annotate tags for those fields. Otherwise, look for tags for all fields.

Syntax

The required syntax is in bold.

tags
[outputfield=<field>]
[inclname=<bool>]
[inclvalue=<bool>]
<field-list>

Required arguments

None.

Optional arguments

<field-list>
Syntax: <field> <field> ...
Description: Specify the fields that you want to output the tags from. The tags are written to the outputfield.
Default: All fields
outputfield
Syntax: outputfield=<field>
Description: If specified, the tags for all of the fields are written to this one new field. If not specified, a new field is created for each field that contains tags. The tags are written to these new fields using the naming convention tag::<field>. In addition, a new field is created called tags that lists all of the tags in all of the fields.
Default: New fields are created and the tags are written to the new fields.
inclname
Syntax: inclname=true | false
Description: If outputfield is specified, this controls whether or not the event field name is added to the output field, along with the tags. Specify true to include the field name.
Default: false
inclvalue
Syntax: inclvalue=true | false
Description: If outputfield is specified, controls whether or not the event field value is added to the output field, along with the tags. Specify true to include the event field value.
Default: false

Usage

The tags command is a distributable streaming command. See Command types.

If outputfield is specified, the tags for the fields are written to this field. By default the tag is written to the outputfield, in the format <field>::<tag>.

For example sourcetype::apache.

If outputfield is specified, the inclname and inclvalue arguments control whether or not the field name and field values are added to the outputfield. If both inclname and inclvalue are set to true the format <field>::<value>::<tag>.

For example sourcetype::access_combined_wcookie::apache.

Examples

1. Results using the default settings

This example uses the sample data from the Search Tutorial but should work with any format of Apache web access log. To try this example on your own Splunk instance, you must download the sample data and follow the instructions to get the tutorial data into Splunk. Use the time range All time when you run the search.

This search looks for web access events and counts those events by host.

sourcetype=access_* | stats count by host


The results look something like this:

host count
www1 13628
www2 12912
www3 12992

When you use the tags command without any arguments, two new fields are added to the results tag and tag::host.

sourcetype=access_* | stats count by host | tags


The results look something like this:

host count tag tag::host
www1 13628 tag2 tag2
www2 12912 tag1 tag1
www3 12992

There are no tags for host=www3.


Add the sourcetype field to the stats command BY clause.

sourcetype=access_* | stats count by host sourcetype | tags


The results look something like this:

host sourcetype count tag tag:host tag::sourcetype
www1 access_combined_wcookie 13628 apache

tag2

tag2 apache
www2 access_combined_wcookie 12912 apache

tag1

tag1 apache
www3 access_combined_wcookie 12992 apache apache

The tag field list all of the tags used in the events that contain the combination of host and sourcetype.

The tag::host field list all of the tags used in the events that contain that host value.

The tag::sourcetype field list all of the tags used in the events that contain that sourcetype value.

2. Specifying a list of fields

Write tags for host and eventtype fields in the format tag::host and tag::eventtype.

... | tags host eventtype

3. Specifying an output field

Write the tags for all fields to the new field test.

... | tags outputfield=test


The results look something like this:

host sourcetype count test
www1 access_combined_wcookie 13628 apache

tag2

www2 access_combined_wcookie 12912 apache

tag1

www3 access_combined_wcookie 12992 apache

4. Including the field names in the search results

Write the tags for the host and sourcetype fields into the test field in the format host::<tag> or sourcetype::<tag>. Include the field name in the output.

... | tags outputfield=test inclname=t host sourcetype


See also

Related information
About tags and aliases in the Knowledge Manager Manual
Tag field-value pairs in Search in the Knowledge Manager Manual
Define and manage tags in Settings in the Knowledge Manager Manual
Commands
eval
Last modified on 19 August, 2022
 

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters