Field Values to Tags?

Getting Data In

Hi All,

I am in an interesting predicament in the environment I work with where our traditional method of tagging devops hosts via UF (in props/transforms) will no longer suffice as the team is moving to kubernetes and using Splunk Connect to forward to the HEC on our SH.

A few of our Splunk end-users are questioning our ability to dynamically create tags, which they rely heavily on when creating custom reports and dashboards. Long story short, I am curious if there is the ability to assign a field value (i.e, altci) to a tag when a log is sent to the HEC. I believe there may be the ability to do this on the indexer level as data is being sent through the indexing pipeline but I do not have any experience and I can't find any documentation that states this. I would appreciate any type of guidance on this matter. Thank you!

Dan

Ideally, it would be something like:

If log has a field named altci, turn the field value into a tag=altcivalue.

Get Updates on the Splunk Community!

Field Values to Tags?

HTTP Event Collector

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation

Field Values to Tags?

HTTP Event Collector

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions