https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-tag-for-multiple-fields/m-p/145692#M29702 <P>Hi,</P> <P>im trying to create tags based on two fields that i have in my logs.<BR /> 1- sourcetype<BR /> 2- path</P> <P>The idea is that we want to show events that when we search with tag it shows results when both criterias are matched </P> <P>So let say we have this log</P> <PRE><CODE>Mon Feb 16 15:20:21 2015 action=add, path="C:\Program Files\Microsoft SQL Server\MSRS10_50.MSSQLSERVER\Reporting Services\LogFiles\ReportServerService__02_16_2015_00_07_46.log", isdir=0, size=92834, gid=-1, uid=-1, modtime="Mon Feb 16 15:18:28 2015", mode="rwxrwxrwx", hash= </CODE></PRE> <P>We want the tag to be shown when the sourcetype is <CODE>File_Intergrity_Monitor</CODE> in this case, and the path is something inside <CODE>"C:\Program Files\Micorosoft SQL\*</CODE></P> <P>Can this be done ?<BR /> Im trying but at the moment if i create the tag it will match the sourcetype only and not the path field</P> <P>Thanks</P> Tue, 17 Feb 2015 14:55:05 GMT arber 2015-02-17T14:55:05Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-tag-for-multiple-fields/m-p/145692#M29702 <P>Hi,</P> <P>im trying to create tags based on two fields that i have in my logs.<BR /> 1- sourcetype<BR /> 2- path</P> <P>The idea is that we want to show events that when we search with tag it shows results when both criterias are matched </P> <P>So let say we have this log</P> <PRE><CODE>Mon Feb 16 15:20:21 2015 action=add, path="C:\Program Files\Microsoft SQL Server\MSRS10_50.MSSQLSERVER\Reporting Services\LogFiles\ReportServerService__02_16_2015_00_07_46.log", isdir=0, size=92834, gid=-1, uid=-1, modtime="Mon Feb 16 15:18:28 2015", mode="rwxrwxrwx", hash= </CODE></PRE> <P>We want the tag to be shown when the sourcetype is <CODE>File_Intergrity_Monitor</CODE> in this case, and the path is something inside <CODE>"C:\Program Files\Micorosoft SQL\*</CODE></P> <P>Can this be done ?<BR /> Im trying but at the moment if i create the tag it will match the sourcetype only and not the path field</P> <P>Thanks</P> Tue, 17 Feb 2015 14:55:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-tag-for-multiple-fields/m-p/145692#M29702 arber 2015-02-17T14:55:05Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-tag-for-multiple-fields/m-p/145693#M29703 <P>Create and eventtype for this, and associate the tag to that Eventtype. You can do this via the GUI, or via configfiles..</P> <PRE><CODE>eventtypes.conf [myevent] search = index=myindex sourcetype=File_Intergrity_Monitor path="C:\Program Files\Microsoft SQL\*" tags.conf [eventtype=myevent] mytagname = enabled mytagname2 = enabled </CODE></PRE> Wed, 18 Feb 2015 19:18:08 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-tag-for-multiple-fields/m-p/145693#M29703 esix_splunk 2015-02-18T19:18:08Z https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-tag-for-multiple-fields/m-p/145694#M29704 <P>Thanks,<BR /> we create the eventtype based on the search and did the match based on that eventtype</P> <P>Thanks again</P> Thu, 19 Feb 2015 13:45:34 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-create-a-tag-for-multiple-fields/m-p/145694#M29704 arber 2015-02-19T13:45:34Z