Knowledge Management

May I search for a tag "later" in the search string?

secfrit
Explorer

I wonder why the following search string is returning events as expected

index=* tag=web tag=proxy

but if I search for the proxy tag later I get no events at all

index=* tag=web | search tag=proxy
0 Karma

secfrit
Explorer

Mhhh it seems to be related with the way I'm applying tags... at the moment I'm using the following stanza in my tags.conf

[eventtype=proxy_logs_*]
proxy = enabled
web = enabled

and it seems to apply tags only if you use them at the beginning of the search string.

I know the wildcard usage in this specific case is not documented but it seemed to work 😛

Using one stanza for each eventtype value seems to solve the issue (i.e. manually expanding the wildcard).

0 Karma

Umesh_Vedicsoft
Path Finder

Hi Secrit,

I am also tried these tags which are my own tags working properly .i got returned event.the query like this

index=* tag=code | search tag=vendors
i suggest you to check your proxy tag whether it is created properly or not by using stats command.

alt text

jbjerke_splunk
Splunk Employee
Splunk Employee

Hi secrit

Yes there is nothing that prevents you from doing that. I just tried this out in my SFDC environment I get events returned back.

index=* tag=sfdc | search tag=opportunity

May I suggest that you try this search to verify that other tags exists for your events that are tagged with web?

index=* tag=web | stats count by tag

Let me know how you get along.

j

0 Karma
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...