I'm trying to find a way to use tags to be used in search as such that the tag entries are cross-matched to the search. This would sound like a job for lookups but is there a way to use the tag?
I found this link (below), but I'm not sure it works for me or if I did anything wrong.
eventtype=foo [search tag::host=tagname | dedup host | fields host | rename host as foo_field]...
http://splunk-base.splunk.com/answers/1325/using-host-tags-or-similar-when-searching-on-fields
My objective: To get the same result as the search below.
eventtype=foo ip1 OR ip2 OR ip3|table foo_field field1 field2
foo_field is a field from the eventtype that would correspond to the ip1, ip2, ip3, etc.
Given: tagname: host=ip1, host=ip2, host=ip3
Except for using lookup table, any other ideas?
Assuming search tag::host=tagname
yields events from hosts ip1, ip2, and ip3, the first subsearch should build a search something like this:
eventtype=foo (foo_field=ip1 OR foo_field=ip2 OR foo_field=ip3)
That's different from your desired search eventtype=foo ip1 OR ip2 OR ip3
, for that you could modify the subsearch into this:
eventtype=foo [search tag::host=tagname | return $host]
This will build a search something like this:
eventtype=foo (ip1 OR ip2 OR ip3)
I see, you want an entire list of tags... the REST API is the way to go then, using the rest command in the search language and this endpoint: http://docs.splunk.com/Documentation/Splunk/5.0.2/RESTAPI/RESTknowledge#search.2Ftags.2F.7Btag_name....
Thanks for this. However I don't think it will work since it is still looking into the "host=ip1" as the log source and just returning that value as something to pass from the subsearch. What I need is a search to look into the values of all defined in the tag and pass them to the main search.
It looks like lookup table is the way to go.