Wildcard support in tag definitions?

Yancy — Wed, 26 May 2010 03:36:11 GMT

Is there a way to set tags based off a wild card value?

IE I have the following hosts and I want to apply the 'test' tag to all of them

foo1 foo2 foo3 foo4

Right now I think I have to apply a tag to each host individually

host=foo1 host=foo2 host=foo3 host=foo4

But what I'd really like is to do something like:

host=foo*

Is this possible, or is there another way that I can do this (such as with a saved search?) As we provision new hosts, sometimes tagging gets missed, which then causes omissions on searches that use these tags. Just trying to find a good work around.

Re: Wildcard support in tag definitions?

Lowell — Wed, 26 May 2010 20:51:06 GMT

Update: As of Splunk 6, this IS supported. (Possibly it worked in 5.0, I'm not sure.)

No. Tags cannot use wildcards.

There used to be a tagcreate search command. But it was removed in Splunk 4.0. That could have been used, but for whatever reason it has been removed. (I'm not sure what the official replacement is, but I do know thats it's often better to build a lookup table than to use automatically generated tags, because lookups scale better, so perhaps thats part of the reason. But it does seem that using tags is the right approach here, so that really doesn't help you.)

A different approach

Here is one possible approach to finding hosts that have not been tagged yet:

| metadata type=hosts index=main | tags | search NOT tag::host=*

You can use the metadata information from one of your indexes to very quickly get a list of active hosts (any host that has events in your index). Then the tags command is used to get the tags associated with each hosts (thus creating the tag::host field).

You could schedule a search like this to run every day and email you about any new (untagged) hosts. And, of course, you have all the normal splunk post-search power at your disposal here.
You could also take an approach where you are looking for certain hosts names and checking for certain tags (like in your example):

| metadata type=hosts | tags | search host=foo* NOT host::tag=test

Of course, you will still have to deal with missing tags manually. But, at least you'll know which hosts are missing tags.

A more complex example

The more I'm thinking about this, the more helpful I'm thinking this would be for me to setup as well. I'm setting up a weekly search like this:

| metadata type=hosts | tags | search NOT tag::host=* totalCount>100 | regex host!="^\d+.\d+\.\d+\.\d+$" | where lastTime>relative_time(now(),"-1mon")`

I'm using a where command to filter out hosts with no event within the past month (decommissioned hosts) or hosts that have less that 100 events (which I also don't care about). We also have a number of hosts that are just IP addresses (small network devices with minimal activity), so they normally don't get tagged and therefore are being filtered out.

Re: Wildcard support in tag definitions?

Yancy — Thu, 27 May 2010 08:28:25 GMT

Thanks Lowell! I remember someone referencing the tagcreate command before. I'm going to run a scheduled search as well.

topic Wildcard support in tag definitions? in Getting Data In

Wildcard support in tag definitions?

Re: Wildcard support in tag definitions?

A different approach

A more complex example

Re: Wildcard support in tag definitions?