- Splunk Answers
- :
- Splunk Administration
- :
- Knowledge Management
- :
- Re: How to tag hosts with a wildcard and search wi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello all, I dod some reading in the Splunk docs and combed through most of the topics here and I did not find and answer to my question, so if it has already been answered I apologize 🙂
My environment uses host-names in order to distinguish between environments/components, and that being said I am looking to optimize our searches. Is it possible to assign a tag to a gorup of hosts using the UI and not have to change the config file on every host, if so what method/approach should be used? I have already tried adding a tag with a key-value-pair being:
search host="*376488822198*"
And I named the tag "test". When I try to search using the tag or even if I try to list any results with the tag I get "no results found"
An example:
index=* sourcetype="narnia" tag=test
Is there a way to achieve what I am trying to do?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It turns out that tags do not support wildcards so I found a workaround to define what I want with wildcards via eventtypes, and then associate tags with the eventtypes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @galindimitrov, would you mind sharing any documentation that helped you accomplish this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey thanks for the quick reply! I appreciate it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It turns out that tags do not support wildcards so I found a workaround to define what I want with wildcards via eventtypes, and then associate tags with the eventtypes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is better to write a query for about 20 types without using asterisks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@to4kawa, what do you mean, writing N+20 specific queries is faster/more optimized than writing N queries with a wildcard? In my case the hostnames themselves contain information such as project, product, environment etc. And i want to assign a given tag to all hosts that contain a specific string in their hostname. So if I want to check for an event in the hosts from environment A, I have to use wildcards, and I would like to use tags.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what do you mean, writing N+20 specific queries is faster/more optimized than writing N queries with a wildcard?
yes,
Alternatively, you can create a CSV of the host name and match it with inputlookup.
Compared to CSV, it is much faster.
exmple csv:
host,note
foo376488822198bar,your_tag
foo37648882219barbar,your_tag
search example:
index=your_index sourcetype="narnia" [ |inputlookup your_csv|search note=your_tag|fields host]
Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...
IM Landing Page Filter - Now Available
Dynamic Links from Alerts to IM Navigators - New in Observability Cloud
