Knowledge Management

How to tag hosts with a wildcard and search with that tag?

galindimitrov
Explorer

Hello all, I dod some reading in the Splunk docs and combed through most of the topics here and I did not find and answer to my question, so if it has already been answered I apologize 🙂

My environment uses host-names in order to distinguish between environments/components, and that being said I am looking to optimize our searches. Is it possible to assign a tag to a gorup of hosts using the UI and not have to change the config file on every host, if so what method/approach should be used? I have already tried adding a tag with a key-value-pair being:

search host="*376488822198*"

And I named the tag "test". When I try to search using the tag or even if I try to list any results with the tag I get "no results found"
An example:

index=* sourcetype="narnia" tag=test

Is there a way to achieve what I am trying to do?

Labels (1)
Tags (2)
0 Karma
1 Solution

galindimitrov
Explorer

It turns out that tags do not support wildcards so I found a workaround to define what I want with wildcards via eventtypes, and then associate tags with the eventtypes.

View solution in original post

0 Karma

treesquid
Engager

Hey @galindimitrov, would you mind sharing any documentation that helped you accomplish this?

0 Karma

to4kawa
Ultra Champion
0 Karma

treesquid
Engager

Hey thanks for the quick reply! I appreciate it.

0 Karma

galindimitrov
Explorer

It turns out that tags do not support wildcards so I found a workaround to define what I want with wildcards via eventtypes, and then associate tags with the eventtypes.

0 Karma

to4kawa
Ultra Champion

It is better to write a query for about 20 types without using asterisks.

0 Karma

galindimitrov
Explorer

@to4kawa, what do you mean, writing N+20 specific queries is faster/more optimized than writing N queries with a wildcard? In my case the hostnames themselves contain information such as project, product, environment etc. And i want to assign a given tag to all hosts that contain a specific string in their hostname. So if I want to check for an event in the hosts from environment A, I have to use wildcards, and I would like to use tags.

0 Karma

to4kawa
Ultra Champion

what do you mean, writing N+20 specific queries is faster/more optimized than writing N queries with a wildcard?

yes,
Alternatively, you can create a CSV of the host name and match it with inputlookup.
Compared to CSV, it is much faster.

exmple csv:

host,note
foo376488822198bar,your_tag
foo37648882219barbar,your_tag

search example:

index=your_index sourcetype="narnia" [ |inputlookup your_csv|search note=your_tag|fields host]
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...