I collect data over a period of time and one in the team can add a tag to collected events; and some of the events were added a year ago, some of them within hours or days.
For example, with this query:
index=collected_events | stats count(tag) by tag
I would like to see stats about all recently tagged events even if they are very old.
Is it possible to query only for events that got tags within the last hour or day (basically I need tag creation time instead of event import time)?
Can splunk sort details based on time when tag was added rather than when data was added to the index?
Can I display the content of tags.conf from the search box for example to make a join query?
The creation time of a tag is not known to the search, all tags apply to all old data by design.
To work around this you could "tag" your data with lookups. Say you want to tag data by the host field, you'd create a lookup with these three columns:
host, host_tag, valid_from
Then anyone "tagging" hosts would add a row to this lookup, including the time from which the tag should apply. This lookup would be configured as an automatic time-based lookup to magically only apply from the valid_from time and onwards.
To display available tags, you can make REST calls from the search bar like this:
| rest splunk_server=local /services/saved/fvtags | table title tags eai:acl.app author
Thank you for a quick response. I think it doesn't solve my use case as I would like to get exact time when a tag was added to a given row rather than when a tag was created.
For example, I could create a tag called 'important' and start adding it to various events, and then I would like to see last tagged ones. What I need is probably a timestamp of the last modification, if we can call adding 'a tag' a modification.