Knowledge Management

How to bulk tag a field value pair.

New Member

So i want to bulk tag multiple field values with the same Tag/alias using the Splunk Web search and not Linux configurations settings. I am trying to tag roughly 800 windows, and 800 linux so thats why i am trying to find a bulk way to do this in the Web versus me going through the list one by one tagging them.

Example: Field=Hostname value=server1 , Field=Hostname value=server2 (Tag=windows)

Example: Field=Hostname value=server3 Field=Hostname value=server4 (Tag=linux)

Overall goal is to separate servers depending on what version.

Is this possible ?

0 Karma

Esteemed Legend

It would be best not to use tags, but instead add metadata fields at index time (and do not use field name tag) with settings like this:

In props.conf:

[host::<WindowsHost1of800>]
TRANSFORMS-meta_windows_type = meta_windows_type

[host::<LinuxHost1of800>]
TRANSFORMS-meta_linux_type = meta_linux_type

In transforms.conf:

[meta_windows_type]
REGEX = .
FORMAT = type::windows
DEST_KEY = _meta

[meta_linux_type]
REGEX = .
FORMAT = type::linux
DEST_KEY = _meta

https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureindex-timefieldextraction