May I search for a tag "later" in the search strin...

secfrit · ‎01-26-2016

I wonder why the following search string is returning events as expected

index=* tag=web tag=proxy

but if I search for the proxy tag later I get no events at all

index=* tag=web | search tag=proxy

secfrit · ‎01-27-2016

Mhhh it seems to be related with the way I'm applying tags... at the moment I'm using the following stanza in my tags.conf

[eventtype=proxy_logs_*]
proxy = enabled
web = enabled

and it seems to apply tags only if you use them at the beginning of the search string.

I know the wildcard usage in this specific case is not documented but it seemed to work 😛

Using one stanza for each eventtype value seems to solve the issue (i.e. manually expanding the wildcard).

Umesh_Vedicsoft · ‎01-26-2016

Hi Secrit,

I am also tried these tags which are my own tags working properly .i got returned event.the query like this

index=* tag=code | search tag=vendors
i suggest you to check your proxy tag whether it is created properly or not by using stats command.

alt text

jbjerke_splunk · ‎01-26-2016

Hi secrit

Yes there is nothing that prevents you from doing that. I just tried this out in my SFDC environment I get events returned back.

index=* tag=sfdc | search tag=opportunity

May I suggest that you try this search to verify that other tags exists for your events that are tagged with web?

index=* tag=web | stats count by tag

Let me know how you get along.

j

May I search for a tag "later" in the search string?

Buttercup Games: Further Dashboarding Techniques (Part 4)

What You Read The Most: Splunk Lantern’s Most Popular Articles!

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...