So i want to bulk tag multiple field values with the same Tag/alias using the Splunk Web search and not Linux configurations settings. I am trying to tag roughly 800 windows, and 800 linux so thats why i am trying to find a bulk way to do this in the Web versus me going through the list one by one tagging them.
Example: Field=Hostname value=server1 , Field=Hostname value=server2 (Tag=windows)
Example: Field=Hostname value=server3 Field=Hostname value=server4 (Tag=linux)
Overall goal is to separate servers depending on what version.
Is this possible ?
It would be best not to use tags
, but instead add metadata
fields at index time (and do not use field name tag
) with settings like this:
In props.conf:
[host::<WindowsHost1of800>]
TRANSFORMS-meta_windows_type = meta_windows_type
[host::<LinuxHost1of800>]
TRANSFORMS-meta_linux_type = meta_linux_type
In transforms.conf:
[meta_windows_type]
REGEX = .
FORMAT = type::windows
DEST_KEY = _meta
[meta_linux_type]
REGEX = .
FORMAT = type::linux
DEST_KEY = _meta
https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureindex-timefieldextraction