Solved: How to tag events based on the host value that con...

ReachDataScient · ‎07-06-2018

Events from our DEV/PROD servers are ingested into the same index. This index already has events since 1 year.
The only way to distinguish the dev and prod events is if the host contains DEV or Prod in this value.
How can I tag the events based on the host value that contains a condition?

Thank you

woodcock · ‎07-06-2018

You first set an eventtype with a name like dev_hosts and set it equal to host IN("foo*", "*-dev-*", "*etc") and then create a tag with a name of dev_hosts set to eventtype=dev_hosts.

View solution in original post

woodcock · ‎07-06-2018

You first set an eventtype with a name like dev_hosts and set it equal to host IN("foo*", "*-dev-*", "*etc") and then create a tag with a name of dev_hosts set to eventtype=dev_hosts.

ReachDataScient · ‎07-06-2018

Can you please list the steps to achieve what you suggested.

woodcock · ‎07-06-2018

Settings -> Event types -> New Event Type
Be sure to set the Tag(s) settings.

How to tag events based on the host value that contains a condition?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation