Knowledge Management
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

server tags

rashid47010
Communicator
‎01-01-2017 11:59 AM

Hi everyone
I have four server. two are web portal and two are application servers. all four servers belongs to one online service. Now for my simple understanding I want to tag them as service name so when i give below query I should see the events from all those four servers.

tag=onlineapplication

how can I do that

Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-01-2017 11:14 PM

Hi rashid47010
I like to use tags associated to eventtypes, so I create an eventtype like this

my_index=my_index sourcetype=my_sourcetype (host=hostAS1 OR host=hostAS2)

associating to it tag=applicationserver
and then 

my_index=my_index sourcetype=my_sourcetype (host=hostOS1 OR host=hostOS2)

associating to it tag=onlineservices

In this way I can use them instead searches (your search became tag=applicationserver OR tag=onlineservices) and you can easily manage changes in architecture (e.g. inserting an additional server) modifying only eventtype instead all searches.

Have a good year.
Bye.
Giuseppe

0 Karma
Reply

rashid47010
Communicator
‎01-02-2017 08:17 AM

great idea, but unfortunately for some services I have 15 to 20 servers. my next plan to tag them based on zones. and then tag them as internal resources or external.

so at the end all host have three type of tags.

1- based on application
2- based on DMZ zones
3- based on internal or external location( internal means within the network and external means coming from internet)

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-02-2017 11:45 PM

Ok what is the problem? you'll have more than two tags but every way you can easily manage them in only one point.
In addition think (if possible) to use the the same tag for different eventtypes: e.g. if I need to monitor login of different systems (Win, Linux, appliances, ...), I can create one eventtype for each sourcetype and use for all of them the tag=LOGIN, in this way with only one tag I can search on different logs.
Bye.
Giuseppe

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-01-2017 01:03 PM

There are several ways to get there, one is to go to the top right corner of the UI Settings -> Tags -> Add new

http://docs.splunk.com/Documentation/Splunk/6.5.1/Knowledge/Tagthehostfield

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-03-2017 12:53 AM

A tag defined on the host field doesn't have any knowledge of the index, try this:

index=aix tag=abc
0 Karma
Reply

rashid47010
Communicator
‎01-02-2017 08:15 AM

I follow the same steps.
I associate the tag=abc against below host and I can see the tag when I explore the event like below

index=aix host=sssss

but when I use the
tag=abc

I can't see anything. might some permission issue. I am login as normal user.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top