Getting Data In
Highlighted

Event Tagging - Auto Tag or Lookup

Explorer

Would like to have the hosts/sources tagged as they are implemented into the system rather than have to go through after the fact and select the specific hosts and then tag them at that time.

I am wondering if anyone has written any scripting into Splunk that identifies a source from a lookup file or something similar and then populates the correct .conf file necessary.

Thanks in advance

Answered -

Generally, I would recommend using lookup tables (which operate on CSV files, which can be easily generated) rather than tags for something like this.

Question - How would we implement the above answer? I am not sure what they are referring to using lookup tables as opposed to tagging?

Thanks again

Tags (2)
Highlighted

Re: Event Tagging - Auto Tag or Lookup

Splunk Employee
Splunk Employee

Generally, I would recommend using lookup tables (which operate on CSV files, which can be easily generated) rather than tags for something like this.

Highlighted

Re: Event Tagging - Auto Tag or Lookup

Explorer

Can you explain or elaborate on the above comment please? If it will work in the same method I am all for it?

0 Karma
Highlighted

Re: Event Tagging - Auto Tag or Lookup

Motivator

You can use a lookup table with tags for your different host names.

For example, if you had a CSV table like this:

host,host_tag
HostA,webserver
HostB,webserver
HostC,sqlserver
HostD,domaincontroller

You could then create a lookup in splunk like the following:

transforms.conf:

[hostlookup]
filename = mylookupfile.csv

and props.conf:

[host::*]
lookup_hostlookup = hostlookup host OUTPUTNEW host_tag

Now what this will do, is that every search you run, for every event's host field splunk will look in your CSV table for the corresponding host_tag and output it as a new field. This also means that you could do a search like the following:

host_tag=webserver

and it would return events from HostA and HostB.

The lookup table is easy to update and keep current, a lot easier than working with a lot of Splunk tags.

Post a comment if you have any questions.