Knowledge Management

Is it possible to group results by their tag?

richnavis
Contributor

I'd have a number of servers that are tagged with a category of the system owner. Can I use these tags to group the reports?

Servers 1 to 10 have a tag named "systems"
Servers 11 to 20 have a tag named "database"
Servers 21 to 30 have a tag named "database"

Is it possible to write a search that groups results by tag?

For example, if I was searching for the number of errors on all these servers, it would return something like this..

Tag Count
systems 22
database 18
network 8

Tags (1)
0 Karma

gkanapathy
Splunk Employee
Splunk Employee
... | stats count by host::tag

crazyeva
Contributor

Why it doesn't work? I tried and get what I wanted.
But I have question: If a server was tagged "systems" and meanwhile "database", will that event be counted twice when "stats count by tag::host"?

0 Karma

asdfasdf12321
Explorer

Yes, it would be counted twice in this case.

0 Karma

richnavis
Contributor

Although this doesn't return an error, it also doesn't return any results.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

my mistake. i meant ... | stats count by tag::host

richnavis
Contributor

Thanks for the reply, but when I attempt this, I get Error in 'stats' command: The argument 'host::tag' is invalid. I wasn't sure if you meant this literally, or if tag should have been replaced by the name of the tag. I tried the tag name "Owner" it the same error occurred.. I'm running 4.2.1.. Perhaps this is no longer supported?

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>