Knowledge Management

May I search for a tag "later" in the search string?

Explorer

I wonder why the following search string is returning events as expected

index=* tag=web tag=proxy

but if I search for the proxy tag later I get no events at all

index=* tag=web | search tag=proxy
0 Karma

Explorer

Mhhh it seems to be related with the way I'm applying tags... at the moment I'm using the following stanza in my tags.conf

[eventtype=proxy_logs_*]
proxy = enabled
web = enabled

and it seems to apply tags only if you use them at the beginning of the search string.

I know the wildcard usage in this specific case is not documented but it seemed to work 😛

Using one stanza for each eventtype value seems to solve the issue (i.e. manually expanding the wildcard).

0 Karma

Path Finder

Hi Secrit,

I am also tried these tags which are my own tags working properly .i got returned event.the query like this

index=* tag=code | search tag=vendors
i suggest you to check your proxy tag whether it is created properly or not by using stats command.

alt text

Splunk Employee
Splunk Employee

Hi secrit

Yes there is nothing that prevents you from doing that. I just tried this out in my SFDC environment I get events returned back.

index=* tag=sfdc | search tag=opportunity

May I suggest that you try this search to verify that other tags exists for your events that are tagged with web?

index=* tag=web | stats count by tag

Let me know how you get along.

j

0 Karma