Knowledge Management

How to tag a field sourcetype from the search bar?


I tried to tag the field sourcetype as suggested in the link :


Example 1: Write tags for host and eventtype fields into tag::host and tag::eventtype.

... | tags host eventtype

index=* | tags sourcetype

but it doesnt created tag::sourcetype

Please help.. Am i missing something ..?

Tags (1)
0 Karma


Search for a value you want to tag, expand an event with that field value, look for the field you want to add a tag to, click the down-triangle to the right in the Actions column and select Edit Tags. That'll let you enter a tag for this field value.

After tagging you can then search by using tag=value or tag::fieldname=value.
You can edit and add more tags through the Settings as well by going into the Tags section.

See for documentation on tagging your data.

Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...