Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

May I search for a tag "later" in the search string?

secfrit
Explorer
‎01-26-2016 08:34 AM

I wonder why the following search string is returning events as expected

index=* tag=web tag=proxy

but if I search for the proxy tag later I get no events at all

index=* tag=web | search tag=proxy
0 Karma
Reply

secfrit
Explorer
‎01-27-2016 04:58 AM

Mhhh it seems to be related with the way I'm applying tags... at the moment I'm using the following stanza in my tags.conf

[eventtype=proxy_logs_*]
proxy = enabled
web = enabled

and it seems to apply tags only if you use them at the beginning of the search string.

I know the wildcard usage in this specific case is not documented but it seemed to work 😛

Using one stanza for each eventtype value seems to solve the issue (i.e. manually expanding the wildcard).

0 Karma
Reply

Umesh_Vedicsoft
Path Finder
‎01-26-2016 10:53 PM

Hi Secrit,

I am also tried these tags which are my own tags working properly .i got returned event.the query like this

index=* tag=code | search tag=vendors
i suggest you to check your proxy tag whether it is created properly or not by using stats command.

alt text

Preview file
140 KB
Reply

jbjerke_splunk
Splunk Employee
Splunk Employee
‎01-26-2016 09:28 AM

Hi secrit

Yes there is nothing that prevents you from doing that. I just tried this out in my SFDC environment I get events returned back. 

index=* tag=sfdc | search tag=opportunity

May I suggest that you try this search to verify that other tags exists for your events that are tagged with web?

index=* tag=web | stats count by tag

Let me know how you get along.

j

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...