Knowledge Management

Categorizing tags

sarahw3
Explorer

I have tags for the name of cameras and then tags for the status of the cameras that I created through eventtypes. Both of these tags are under the same tag category in my data and I want to create a panel that shows only the status tags. When I do |status count by tag it includes the name tags. Is it possible to categorize tags that are created through event types so that I could do something along the lines of |stats count by tag_status?

I have very little experience with splunk so any help would be fantastic!

0 Karma
1 Solution

woodcock
Esteemed Legend

Just drop or keep the tags you like with | regex tag="YourRegExHere" at the end. What is interesting about multi-valued fields (like tags) is that a single event will be counted in each value (each tag) so your counts for the tags that you'd like to keep should be correct. Just drop the stuff you don't need.

View solution in original post

woodcock
Esteemed Legend

Just drop or keep the tags you like with | regex tag="YourRegExHere" at the end. What is interesting about multi-valued fields (like tags) is that a single event will be counted in each value (each tag) so your counts for the tags that you'd like to keep should be correct. Just drop the stuff you don't need.

sarahw3
Explorer

I just tried using the regex with two tags as |regex tag="Working" OR tag="No_Images" and it does not like it. I have four specific tags that I want to count. What would that code look like? Will regex work with stats count?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust
|regex tag="Working|No_Images|Tag3|Tag4"

sarahw3
Explorer

That helps! So now what do I write for the stats count function? Because if I do |stats count by tag it does it for all the tags I have instead of the four that I want.

0 Karma

sarahw3
Explorer

When I look at the events with '|regex tag="Working|No_Images|Tag3|Tag4"' it is only showing 167 when I have over 400,000

0 Karma

sarahw3
Explorer

Just kidding I had extra stuff in my search! But I am still having trouble with the count

0 Karma

sarahw3
Explorer

Yay I got it!! I needed to do the regex after the count! Thank y'all so so so much!

woodcock
Esteemed Legend

That's what I said in the first place ("at the end")! 😆 I am glad that you got it.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...