Hi Splunkers,
I have this search host=slc-p-cv01 sourcetype=csv
that returns what I expect.
I am trying to make a tag called cv
that contains this search.
So I create a tag, in the "Field value pair" I put the above search. In the Tag name, I put cv
. I also gave the tag full permissions.
When I perform the search, it works. The tag returns nothing.
Thanks in advance!
This answer explains it well.
https://answers.splunk.com/answers/238355/what-are-the-definitions-of-tag-and-eventtype-and.html
I think what I need is an event type. Apparently a tag is a single key=value pair, where an eventtype can have multiple prepipe statements (which is what I have).
But, correct me if I am wrong, I could do this:
host=slc-p-cv01
tag=cv
sourcetype=csv
tag=cv
And it would be the same thing as
host=slc-p-cv01 sourcetype=csv
eventtype=cv
This answer explains it well.
https://answers.splunk.com/answers/238355/what-are-the-definitions-of-tag-and-eventtype-and.html
I think what I need is an event type. Apparently a tag is a single key=value pair, where an eventtype can have multiple prepipe statements (which is what I have).
But, correct me if I am wrong, I could do this:
host=slc-p-cv01
tag=cv
sourcetype=csv
tag=cv
And it would be the same thing as
host=slc-p-cv01 sourcetype=csv
eventtype=cv
But my event type isn't working either.
Ah, Got it! I had a typo.
@HCadmins - Sounds like you resolved your issue? If yes, let me know and I will convert your comment as an Answer 🙂
I did resolve my own issue. Thanks!
Just for curiosity, I'm not sure whether it should be a tag or an eventtype... it bothers me ; -)