Knowledge Management

Using tags to search other fields

mcm10285
Communicator

I'm trying to find a way to use tags to be used in search as such that the tag entries are cross-matched to the search. This would sound like a job for lookups but is there a way to use the tag?

I found this link (below), but I'm not sure it works for me or if I did anything wrong.

    eventtype=foo [search tag::host=tagname | dedup host | fields host | rename host as foo_field]...

http://splunk-base.splunk.com/answers/1325/using-host-tags-or-similar-when-searching-on-fields

  • My objective: To get the same result as the search below.

    eventtype=foo ip1 OR ip2 OR ip3|table foo_field field1 field2
    

    foo_field is a field from the eventtype that would correspond to the ip1, ip2, ip3, etc.

  • Given: tagname: host=ip1, host=ip2, host=ip3

Except for using lookup table, any other ideas?

Tags (1)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Assuming search tag::host=tagname yields events from hosts ip1, ip2, and ip3, the first subsearch should build a search something like this:

eventtype=foo (foo_field=ip1 OR foo_field=ip2 OR foo_field=ip3)

That's different from your desired search eventtype=foo ip1 OR ip2 OR ip3, for that you could modify the subsearch into this:

eventtype=foo [search tag::host=tagname | return $host]

This will build a search something like this:

eventtype=foo (ip1 OR ip2 OR ip3)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I see, you want an entire list of tags... the REST API is the way to go then, using the rest command in the search language and this endpoint: http://docs.splunk.com/Documentation/Splunk/5.0.2/RESTAPI/RESTknowledge#search.2Ftags.2F.7Btag_name....

0 Karma

mcm10285
Communicator

Thanks for this. However I don't think it will work since it is still looking into the "host=ip1" as the log source and just returning that value as something to pass from the subsearch. What I need is a search to look into the values of all defined in the tag and pass them to the main search.

It looks like lookup table is the way to go.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...