Knowledge Management

How to tag hosts with a wildcard and search with that tag?

galindimitrov
Explorer

Hello all, I dod some reading in the Splunk docs and combed through most of the topics here and I did not find and answer to my question, so if it has already been answered I apologize 🙂

My environment uses host-names in order to distinguish between environments/components, and that being said I am looking to optimize our searches. Is it possible to assign a tag to a gorup of hosts using the UI and not have to change the config file on every host, if so what method/approach should be used? I have already tried adding a tag with a key-value-pair being:

search host="*376488822198*"

And I named the tag "test". When I try to search using the tag or even if I try to list any results with the tag I get "no results found"
An example:

index=* sourcetype="narnia" tag=test

Is there a way to achieve what I am trying to do?

Labels (1)
Tags (2)
0 Karma
1 Solution

galindimitrov
Explorer

It turns out that tags do not support wildcards so I found a workaround to define what I want with wildcards via eventtypes, and then associate tags with the eventtypes.

View solution in original post

0 Karma

treesquid
Engager

Hey @galindimitrov, would you mind sharing any documentation that helped you accomplish this?

0 Karma

to4kawa
SplunkTrust
SplunkTrust
0 Karma

treesquid
Engager

Hey thanks for the quick reply! I appreciate it.

0 Karma

galindimitrov
Explorer

It turns out that tags do not support wildcards so I found a workaround to define what I want with wildcards via eventtypes, and then associate tags with the eventtypes.

View solution in original post

0 Karma

to4kawa
SplunkTrust
SplunkTrust

It is better to write a query for about 20 types without using asterisks.

0 Karma

galindimitrov
Explorer

@to4kawa, what do you mean, writing N+20 specific queries is faster/more optimized than writing N queries with a wildcard? In my case the hostnames themselves contain information such as project, product, environment etc. And i want to assign a given tag to all hosts that contain a specific string in their hostname. So if I want to check for an event in the hosts from environment A, I have to use wildcards, and I would like to use tags.

0 Karma

to4kawa
SplunkTrust
SplunkTrust

what do you mean, writing N+20 specific queries is faster/more optimized than writing N queries with a wildcard?

yes,
Alternatively, you can create a CSV of the host name and match it with inputlookup.
Compared to CSV, it is much faster.

exmple csv:

host,note
foo376488822198bar,your_tag
foo37648882219barbar,your_tag

search example:

index=your_index sourcetype="narnia" [ |inputlookup your_csv|search note=your_tag|fields host]
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!