Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

May I search for a tag "later" in the search string?

secfrit
Explorer
‎01-26-2016 08:34 AM

I wonder why the following search string is returning events as expected

index=* tag=web tag=proxy

but if I search for the proxy tag later I get no events at all

index=* tag=web | search tag=proxy
0 Karma
Reply

secfrit
Explorer
‎01-27-2016 04:58 AM

Mhhh it seems to be related with the way I'm applying tags... at the moment I'm using the following stanza in my tags.conf

[eventtype=proxy_logs_*]
proxy = enabled
web = enabled

and it seems to apply tags only if you use them at the beginning of the search string.

I know the wildcard usage in this specific case is not documented but it seemed to work 😛

Using one stanza for each eventtype value seems to solve the issue (i.e. manually expanding the wildcard).

0 Karma
Reply

Umesh_Vedicsoft
Path Finder
‎01-26-2016 10:53 PM

Hi Secrit,

I am also tried these tags which are my own tags working properly .i got returned event.the query like this

index=* tag=code | search tag=vendors
i suggest you to check your proxy tag whether it is created properly or not by using stats command.

alt text

tag-solution.png
Preview file
140 KB
Reply

jbjerke_splunk
Splunk Employee
Splunk Employee
‎01-26-2016 09:28 AM

Hi secrit

Yes there is nothing that prevents you from doing that. I just tried this out in my SFDC environment I get events returned back. 

index=* tag=sfdc | search tag=opportunity

May I suggest that you try this search to verify that other tags exists for your events that are tagged with web?

index=* tag=web | stats count by tag

Let me know how you get along.

j

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
Top