Hi,
I want to create some tags and associate them with an index. Where would tags.conf be put? Search Head? Indexer?
Hi a212830,
Generally you would want to create an eventtype (some particular search, could just be index="your_index"
and then set tag_name=enabled
for that eventtype in tags.conf.
Both eventtypes and tags are search time operations, and so this config only needs set on whatever instance you are searching from.
Please let me know if this answers your question! 😄
Old thread here, but I'm having trouble getting the tag to show up in console searches after restarting the host forwarder service. Running 8.2.5 server and 9.0.0.1 forwarder agent.
/splunkforwarder/etc/system/local/tags.conf content:
[host=server01]
myapp = enabled
On your Search Head(s).
Hi a212830,
Generally you would want to create an eventtype (some particular search, could just be index="your_index"
and then set tag_name=enabled
for that eventtype in tags.conf.
Both eventtypes and tags are search time operations, and so this config only needs set on whatever instance you are searching from.
Please let me know if this answers your question! 😄
Makes sense, just not working. I have an app on my license manager, and put an eventtypes.conf and a tags.conf and restarted it. The eventtype is recognized, but I can't find the tag.
eventtypes.conf:
[network_index]
search = index=network
tags.conf:
[eventtype=network_index]
costBU = GNS
When I look for tags in the gui, they don't appear. I'm doing this as admin.
the format for tags is <tagname> = [enabled|disabled]
so, costBU = enabled
or GNS = enabled
Ok, so that enables the tag? Can I populate it?
Correct, that enables the tag. Once set, and splunk is reloaded/restarted, when you run searches you'll find the tag field show up for any events that match that eventtype, and therefore that tag.
You can also directly search for a tag, i.e. tag="costBU" OR tag="GNS"
Got it. Thanks!
sure thing, glad to help! 😄