topic Re: How to enter hosts in Splunk Search

How to enter hosts

Shane — Thu, 21 Oct 2010 22:49:52 GMT

What is the proper format to put hosts in the tags.conf file?

Re: How to enter hosts

southeringtonp — Thu, 21 Oct 2010 23:09:30 GMT

Like this:

[host=yourhostname]
your_first_tagname = enabled
your_second_tagname = enabled

To validate that it's working, run a search for host=yourhostname, and a search for tag::host=your_first_tagname. Both should return the same results.

Re: How to enter hosts

Shane — Mon, 28 Sep 2020 09:19:35 GMT

I know this is going to sound bad but what I tried isn't working.
If my device is named Router1 and the IP is 10.0.0.1 would it be

[host=Router1]
your_first_tagname = enabled
your_second_tagname = enabled

Also, do I have to restart SPUNK when I update the tags.conf file?

Re: How to enter hosts

southeringtonp — Thu, 21 Oct 2010 23:58:23 GMT

It needs to match the value of the host field in the index. Run a search for host="Router1", and run a search for host="10.0.0.1". Whichever of those returns actual results is the one you need to use. A reboot should not be required

Re: How to enter hosts

Shane — Fri, 22 Oct 2010 00:35:19 GMT

So now I have in the [host="router1.mycompany.com"] which is what returns results in the search. I'm still not getting anything. Is there something I need to put for the other two lines?

Re: How to enter hosts

southeringtonp — Fri, 22 Oct 2010 03:27:07 GMT

Try it without the quotes.

Re: How to enter hosts

Shane — Fri, 22 Oct 2010 03:43:04 GMT

I'm still not seeing anything. Is there a log file I can check out to see what's not working?

Re: How to enter hosts

Shane — Fri, 22 Oct 2010 05:46:43 GMT

I was not testing it that way but now that I have your last statement is correct. When I put the tag:: in front of the word host it doesn't come back with any results.

Re: How to enter hosts

southeringtonp — Sat, 23 Oct 2010 06:45:32 GMT

And you're entering the hostname exactly the same way in search and in tags.conf? In your messages above, you refer to the machine in several different ways - the unqualified hostname Router1, fqdn router1.mycompany.com, and IP address 10.0.0.1. Make sure that you are picking one form and using the exact same name everywhere. Also, make sure you're putting your tags.conf file in the right place. When in doubt, you probably want it in $SPLUNK_HOME/etc/apps/search/local/tags.conf.

Re: How to enter hosts

gkanapathy — Sun, 24 Oct 2010 09:38:12 GMT

I would generally suggest using lookup tables rather than tags, unless you need users to be able to edit tags in the UI.

Re: How to enter hosts

southeringtonp — Sun, 24 Oct 2010 11:01:26 GMT

Doesn't that introduce a performance penalty if you're trying to search by certain classes of host? e.g., if you have lots of Windows servers, all logging with the same sourcetype, and wanted to search for just events from domain controllers... Wouldn't search tag::host=domain_controller be faster than search lookup_result=domain_controller. I've always thought that the former would be expanded early enough in the process to be able to leverage the host field in the index, where the second would have to pull back data from all hosts before filtering down.

Re: How to enter hosts

gkanapathy — Mon, 25 Oct 2010 03:13:53 GMT

no. automatic lookups are reversed and only retrieve matching hosts.

Re: How to enter hosts

Shane — Tue, 26 Oct 2010 03:49:12 GMT

How would I implement lookup tables?

Re: How to enter hosts

mamaral — Thu, 04 Nov 2010 01:01:32 GMT

It didn't work for me... Could someone please, give a example of tags.conf?

Re: How to enter hosts

Shane — Wed, 24 Nov 2010 05:35:43 GMT

So I figured out that my problem is that I'm using Splunk on a Windows box. I ended up having the engineer from Splunk that I've been working with contact the author of the app and he said it had to be on a Linux platform. Thanks for all the help everyone.