https://community.splunk.com/t5/Getting-Data-In/How-to-add-custom-tags-to-event-data-via-universal-forwarder/m-p/305137#M57527 <P>Tags are applied at searchtime, so the easist way to do this is to built event types for each of your scenarious and then attach a tag to an event type. </P> <P>There is a great splunk video here: <A href="http://www.splunk.com/view/SP-CAAAGYJ">http://www.splunk.com/view/SP-CAAAGYJ</A></P> Wed, 15 Feb 2017 18:46:20 GMT nickhills 2017-02-15T18:46:20Z https://community.splunk.com/t5/Getting-Data-In/How-to-add-custom-tags-to-event-data-via-universal-forwarder/m-p/305136#M57526 <P>I am using universal forwarder.</P> <P>I wish to tag my logs with the application and some custom information like groupA or groupB etc. So, I wish to have multiple tags to my events namely applog1, groupA. </P> <P>I understand we can do it from _meta in inputs.conf. But, that does not seem to work. In fact, once I add a tag, none of the events are shown in search.</P> <P>Is there any other way to do that ? Any pointers will help. </P> <P>Thanks and Regards,<BR /> Abhay Dandekar</P> Wed, 15 Feb 2017 17:53:17 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-add-custom-tags-to-event-data-via-universal-forwarder/m-p/305136#M57526 dandekarabhay 2017-02-15T17:53:17Z https://community.splunk.com/t5/Getting-Data-In/How-to-add-custom-tags-to-event-data-via-universal-forwarder/m-p/305137#M57527 <P>Tags are applied at searchtime, so the easist way to do this is to built event types for each of your scenarious and then attach a tag to an event type. </P> <P>There is a great splunk video here: <A href="http://www.splunk.com/view/SP-CAAAGYJ">http://www.splunk.com/view/SP-CAAAGYJ</A></P> Wed, 15 Feb 2017 18:46:20 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-add-custom-tags-to-event-data-via-universal-forwarder/m-p/305137#M57527 nickhills 2017-02-15T18:46:20Z https://community.splunk.com/t5/Getting-Data-In/How-to-add-custom-tags-to-event-data-via-universal-forwarder/m-p/305138#M57528 <P>Thanks, the video was great.<BR /> But, is there any automated way to add institutional data to Splunk ? I was looking at forwarders for those, but somehow they are not working for adding tags to the existing fields.</P> <P>Thanks and Regards,<BR /> Abhay Dandekar</P> Mon, 20 Feb 2017 15:04:25 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-add-custom-tags-to-event-data-via-universal-forwarder/m-p/305138#M57528 dandekarabhay 2017-02-20T15:04:25Z https://community.splunk.com/t5/Getting-Data-In/How-to-add-custom-tags-to-event-data-via-universal-forwarder/m-p/305139#M57529 <P>You can do it at the app level at <A href="https://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Tagsconf">tags.conf</A></P> <P>You can create one tag from the UI (so you see when it ends up) and then add more to this <CODE>tags.conf</CODE></P> Mon, 20 Feb 2017 15:33:28 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-add-custom-tags-to-event-data-via-universal-forwarder/m-p/305139#M57529 ddrillic 2017-02-20T15:33:28Z https://community.splunk.com/t5/Getting-Data-In/How-to-add-custom-tags-to-event-data-via-universal-forwarder/m-p/305140#M57530 <P>This video is excellent - one of my favorites ; -) </P> Mon, 20 Feb 2017 15:34:19 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-add-custom-tags-to-event-data-via-universal-forwarder/m-p/305140#M57530 ddrillic 2017-02-20T15:34:19Z https://community.splunk.com/t5/Getting-Data-In/How-to-add-custom-tags-to-event-data-via-universal-forwarder/m-p/305141#M57531 <P>what do you mean "institutional data"?</P> <P>If you mean common sourcetypes like syslog, windows events, LDAP, network events, firewall logs, ids logs, antivirus logs, proxy logs ... etc, etc.. then, take a look at <A href="http://apps.splunk.com/">splunkbase</A> where you will find apps for all sorts of data. These applications commonly include automatic extractions and tags to identify and classify those datatypes automatically and apply them to a common information model.</P> <P>If you mean something which is a little more bespoke to your organisation, you may need to perform some of the extractions and apply tags yourself. </P> Mon, 20 Feb 2017 17:19:14 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-add-custom-tags-to-event-data-via-universal-forwarder/m-p/305141#M57531 nickhills 2017-02-20T17:19:14Z https://community.splunk.com/t5/Getting-Data-In/How-to-add-custom-tags-to-event-data-via-universal-forwarder/m-p/305142#M57532 <P>Thanks for a quick response. </P> <P>By institutional data, I mean data that cannot be derived directly and needs to be provided by user.</P> <P>I am planning to add such information as tags at forwarding level itself.</P> <P>Does that provide enough information ?</P> <P>Thanks and Regards,<BR /> Abhay Dandekar</P> Mon, 20 Feb 2017 17:23:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-add-custom-tags-to-event-data-via-universal-forwarder/m-p/305142#M57532 dandekarabhay 2017-02-20T17:23:41Z https://community.splunk.com/t5/Getting-Data-In/How-to-add-custom-tags-to-event-data-via-universal-forwarder/m-p/305143#M57533 <P>Splunk principally (but is not limited) to collecting data from log files. It in these cases one would normally deploy a universal forwarder to read the logs from the target system and then provide the content back to the Splunk indexer. - This assumes your data is in log files of some type.</P> <P>If your data is to be collected from an API, TCP socket or a scripted process you have built you will probably want to consider a heavy forwarder which has the capabilities of the UF as well the means to run shell scripts or hooks via python.</P> <P>I must admit that from your description I am not clear on your use case, but "tagging" has a specific meaning in the context of Splunk. I hope I am not doing you a disservice by suggesting you are referring to something else <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>I don't know if you are able to provide some sample data or maybe describe your use case in detail?</P> Mon, 20 Feb 2017 18:40:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-add-custom-tags-to-event-data-via-universal-forwarder/m-p/305143#M57533 nickhills 2017-02-20T18:40:18Z https://community.splunk.com/t5/Getting-Data-In/How-to-add-custom-tags-to-event-data-via-universal-forwarder/m-p/509612#M86680 <P>Is&nbsp;tags.conf&nbsp; a config that can be applied at the config of universal-forwarder or is it an indexer config only feature?&nbsp;<BR /><BR />Where would it have to be place in the forwarder directory to make it effective?&nbsp;<BR /><BR />I have tried:&nbsp;<BR /><BR />/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/tags.conf<BR /><BR />with the following config:<BR /><BR />[host=myhost.mydomain.net]<BR />nonproduction=enabled<BR />testsystem=enabled</P> Thu, 16 Jul 2020 21:21:23 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-add-custom-tags-to-event-data-via-universal-forwarder/m-p/509612#M86680 tomaszez 2020-07-16T21:21:23Z