Is there a way to set tags based off a wild card value?
IE I have the following hosts and I want to apply the 'test' tag to all of them
foo1 foo2 foo3 foo4
Right now I think I have to apply a tag to each host individually
host=foo1 host=foo2 host=foo3 host=foo4
But what I'd really like is to do something like:
Is this possible, or is there another way that I can do this (such as with a saved search?) As we provision new hosts, sometimes tagging gets missed, which then causes omissions on searches that use these tags. Just trying to find a good work around.
Update: As of Splunk 6, this IS supported. (Possibly it worked in 5.0, I'm not sure.)
No. Tags cannot use wildcards.
There used to be a
tagcreate search command. But it was removed in Splunk 4.0. That could have been used, but for whatever reason it has been removed. (I'm not sure what the official replacement is, but I do know thats it's often better to build a lookup table than to use automatically generated tags, because lookups scale better, so perhaps thats part of the reason. But it does seem that using tags is the right approach here, so that really doesn't help you.)
Here is one possible approach to finding hosts that have not been tagged yet:
| metadata type=hosts index=main | tags | search NOT tag::host=*
You can use the metadata information from one of your indexes to very quickly get a list of active hosts (any host that has events in your index). Then the
tags command is used to get the tags associated with each hosts (thus creating the
You could schedule a search like this to run every day and email you about any new (untagged) hosts. And, of course, you have all the normal splunk post-search power at your disposal here.
You could also take an approach where you are looking for certain hosts names and checking for certain tags (like in your example):
| metadata type=hosts | tags | search host=foo* NOT host::tag=test
Of course, you will still have to deal with missing tags manually. But, at least you'll know which hosts are missing tags.
The more I'm thinking about this, the more helpful I'm thinking this would be for me to setup as well. I'm setting up a weekly search like this:
| metadata type=hosts | tags | search NOT tag::host=* totalCount>100 | regex host!="^\d+.\d+\.\d+\.\d+$" | where lastTime>relative_time(now(),"-1mon")`
I'm using a
where command to filter out hosts with no event within the past month (decommissioned hosts) or hosts that have less that 100 events (which I also don't care about). We also have a number of hosts that are just IP addresses (small network devices with minimal activity), so they normally don't get tagged and therefore are being filtered out.