Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to add custom tags to event data via unive...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to add custom tags to event data via universal forwarder?
I am using universal forwarder.
I wish to tag my logs with the application and some custom information like groupA or groupB etc. So, I wish to have multiple tags to my events namely applog1, groupA.
I understand we can do it from _meta in inputs.conf. But, that does not seem to work. In fact, once I add a tag, none of the events are shown in search.
Is there any other way to do that ? Any pointers will help.
Thanks and Regards,
Abhay Dandekar
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can do it at the app level at tags.conf
You can create one tag from the UI (so you see when it ends up) and then add more to this tags.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is tags.conf a config that can be applied at the config of universal-forwarder or is it an indexer config only feature?
Where would it have to be place in the forwarder directory to make it effective?
I have tried:
/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/tags.conf
with the following config:
[host=myhost.mydomain.net]
nonproduction=enabled
testsystem=enabled
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tags are applied at searchtime, so the easist way to do this is to built event types for each of your scenarious and then attach a tag to an event type.
There is a great splunk video here: http://www.splunk.com/view/SP-CAAAGYJ
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This video is excellent - one of my favorites ; -)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, the video was great.
But, is there any automated way to add institutional data to Splunk ? I was looking at forwarders for those, but somehow they are not working for adding tags to the existing fields.
Thanks and Regards,
Abhay Dandekar
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what do you mean "institutional data"?
If you mean common sourcetypes like syslog, windows events, LDAP, network events, firewall logs, ids logs, antivirus logs, proxy logs ... etc, etc.. then, take a look at splunkbase where you will find apps for all sorts of data. These applications commonly include automatic extractions and tags to identify and classify those datatypes automatically and apply them to a common information model.
If you mean something which is a little more bespoke to your organisation, you may need to perform some of the extractions and apply tags yourself.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for a quick response.
By institutional data, I mean data that cannot be derived directly and needs to be provided by user.
I am planning to add such information as tags at forwarding level itself.
Does that provide enough information ?
Thanks and Regards,
Abhay Dandekar
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk principally (but is not limited) to collecting data from log files. It in these cases one would normally deploy a universal forwarder to read the logs from the target system and then provide the content back to the Splunk indexer. - This assumes your data is in log files of some type.
If your data is to be collected from an API, TCP socket or a scripted process you have built you will probably want to consider a heavy forwarder which has the capabilities of the UF as well the means to run shell scripts or hooks via python.
I must admit that from your description I am not clear on your use case, but "tagging" has a specific meaning in the context of Splunk. I hope I am not doing you a disservice by suggesting you are referring to something else 🙂
I don't know if you are able to provide some sample data or maybe describe your use case in detail?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
