Hello all, I dod some reading in the Splunk docs and combed through most of the topics here and I did not find and answer to my question, so if it has already been answered I apologize 🙂
My environment uses host-names in order to distinguish between environments/components, and that being said I am looking to optimize our searches. Is it possible to assign a tag to a gorup of hosts using the UI and not have to change the config file on every host, if so what method/approach should be used? I have already tried adding a tag with a key-value-pair being:
search host="*376488822198*"
And I named the tag "test". When I try to search using the tag or even if I try to list any results with the tag I get "no results found"
An example:
index=* sourcetype="narnia" tag=test
Is there a way to achieve what I am trying to do?
It turns out that tags do not support wildcards so I found a workaround to define what I want with wildcards via eventtypes, and then associate tags with the eventtypes.
Hey @galindimitrov, would you mind sharing any documentation that helped you accomplish this?
Hey thanks for the quick reply! I appreciate it.
It turns out that tags do not support wildcards so I found a workaround to define what I want with wildcards via eventtypes, and then associate tags with the eventtypes.
It is better to write a query for about 20 types without using asterisks.
@to4kawa, what do you mean, writing N+20 specific queries is faster/more optimized than writing N queries with a wildcard? In my case the hostnames themselves contain information such as project, product, environment etc. And i want to assign a given tag to all hosts that contain a specific string in their hostname. So if I want to check for an event in the hosts from environment A, I have to use wildcards, and I would like to use tags.
what do you mean, writing N+20 specific queries is faster/more optimized than writing N queries with a wildcard?
yes,
Alternatively, you can create a CSV of the host name and match it with inputlookup
.
Compared to CSV, it is much faster.
exmple csv:
host,note
foo376488822198bar,your_tag
foo37648882219barbar,your_tag
search example:
index=your_index sourcetype="narnia" [ |inputlookup your_csv|search note=your_tag|fields host]