topic Re: server tags in Knowledge Management

server tags

rashid47010 — Sun, 01 Jan 2017 19:59:05 GMT

Hi everyone
I have four server. two are web portal and two are application servers. all four servers belongs to one online service. Now for my simple understanding I want to tag them as service name so when i give below query I should see the events from all those four servers.

tag=onlineapplication

how can I do that

Re: server tags

martin_mueller — Sun, 01 Jan 2017 21:03:02 GMT

There are several ways to get there, one is to go to the top right corner of the UI Settings -> Tags -> Add new

http://docs.splunk.com/Documentation/Splunk/6.5.1/Knowledge/Tagthehostfield

Re: server tags

gcusello — Mon, 02 Jan 2017 07:14:10 GMT

Hi rashid47010
I like to use tags associated to eventtypes, so I create an eventtype like this

my_index=my_index sourcetype=my_sourcetype (host=hostAS1 OR host=hostAS2)

associating to it tag=applicationserver
and then

my_index=my_index sourcetype=my_sourcetype (host=hostOS1 OR host=hostOS2)

associating to it tag=onlineservices

In this way I can use them instead searches (your search became tag=applicationserver OR tag=onlineservices) and you can easily manage changes in architecture (e.g. inserting an additional server) modifying only eventtype instead all searches.

Have a good year.
Bye.
Giuseppe

Re: server tags

rashid47010 — Mon, 02 Jan 2017 16:15:26 GMT

I follow the same steps.
I associate the tag=abc against below host and I can see the tag when I explore the event like below

index=aix host=sssss

but when I use the
tag=abc

I can't see anything. might some permission issue. I am login as normal user.

Re: server tags

rashid47010 — Mon, 02 Jan 2017 16:17:09 GMT

great idea, but unfortunately for some services I have 15 to 20 servers. my next plan to tag them based on zones. and then tag them as internal resources or external.

so at the end all host have three type of tags.

1- based on application
2- based on DMZ zones
3- based on internal or external location( internal means within the network and external means coming from internet)

Re: server tags

gcusello — Tue, 03 Jan 2017 07:45:19 GMT

Ok what is the problem? you'll have more than two tags but every way you can easily manage them in only one point.
In addition think (if possible) to use the the same tag for different eventtypes: e.g. if I need to monitor login of different systems (Win, Linux, appliances, ...), I can create one eventtype for each sourcetype and use for all of them the tag=LOGIN, in this way with only one tag I can search on different logs.
Bye.
Giuseppe

Re: server tags

martin_mueller — Tue, 03 Jan 2017 08:53:06 GMT

A tag defined on the host field doesn't have any knowledge of the index, try this:

index=aix tag=abc