Knowledge Management

Sorting results by time when an event was tagged

cr019283
New Member

I collect data over a period of time and one in the team can add a tag to collected events; and some of the events were added a year ago, some of them within hours or days.

For example, with this query:

index=collected_events | stats count(tag) by tag

I would like to see stats about all recently tagged events even if they are very old.

Is it possible to query only for events that got tags within the last hour or day (basically I need tag creation time instead of event import time)?

Can splunk sort details based on time when tag was added rather than when data was added to the index?

Can I display the content of tags.conf from the search box for example to make a join query?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The creation time of a tag is not known to the search, all tags apply to all old data by design.
To work around this you could "tag" your data with lookups. Say you want to tag data by the host field, you'd create a lookup with these three columns:

host, host_tag, valid_from

Then anyone "tagging" hosts would add a row to this lookup, including the time from which the tag should apply. This lookup would be configured as an automatic time-based lookup to magically only apply from the valid_from time and onwards.

To display available tags, you can make REST calls from the search bar like this:

| rest splunk_server=local /services/saved/fvtags | table title tags eai:acl.app author
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I think you're not looking for tags then. You'd need to build a place to store the fact "row xyz was tagged as foo on date", e.g. in a lookup file or kvstore.

0 Karma

cr019283
New Member

Thank you for a quick response. I think it doesn't solve my use case as I would like to get exact time when a tag was added to a given row rather than when a tag was created.

For example, I could create a tag called 'important' and start adding it to various events, and then I would like to see last tagged ones. What I need is probably a timestamp of the last modification, if we can call adding 'a tag' a modification.

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...