Knowledge Management

Tags: Whats the best way to see all that is tagged

Splunk Employee
Splunk Employee

I am working on a project where several people are going in to a Splunk server and tagging hosts. (Tagging is used, in this case to denote the person responsible for extracting fields on a host AND to set the state of tagging.. like "done" or "in process".

Is there a smart way to see all hosts that have been tagged, what their tags are (and conversely, which hosts haven't been tagged).

I know i could do a search on "* NOT (host::tag::fx_done OR host::tag::fx_wip)" but that wouldn't be efficient as I don't really need events.. just metadata.

Previous versions of Splunk had the tags listed next to host metadata on the Summary page.

Thoughts?

Tags (1)
1 Solution

Splunk Employee
Splunk Employee
| metadata type=hosts | tags | search NOT (tag::host=fx_done OR tag::host=fx_wip)

will add the tags for each host to the metadata as an MV field, and then you can search on them.

View solution in original post

Splunk Employee
Splunk Employee
| metadata type=hosts | tags | search NOT (tag::host=fx_done OR tag::host=fx_wip)

will add the tags for each host to the metadata as an MV field, and then you can search on them.

View solution in original post

Explorer

Is there a way of subsetting to the tags definined in a particular app?

0 Karma

Splunk Employee
Splunk Employee

huh, what do you know. totally undocumented. i wonder if it's supposed to be.

0 Karma

Splunk Employee
Splunk Employee

I didnt' think | tags was still a search command. It doesn't show up in the search assistant. I should have just tried it.. but then again, its a worthy question for others to know. Thanks for the answer G.

0 Karma

Splunk Employee
Splunk Employee

the tags command is the same one that was used to retrieve and display the tags in the dashboards in 3.x, and still works in 4.x. It's just the dasboards have changed and no longer display them.