Knowledge Management
Highlighted

server tags

Communicator

Hi everyone
I have four server. two are web portal and two are application servers. all four servers belongs to one online service. Now for my simple understanding I want to tag them as service name so when i give below query I should see the events from all those four servers.

tag=onlineapplication

how can I do that

Tags (2)
0 Karma
Highlighted

Re: server tags

SplunkTrust
SplunkTrust

There are several ways to get there, one is to go to the top right corner of the UI Settings -> Tags -> Add new

http://docs.splunk.com/Documentation/Splunk/6.5.1/Knowledge/Tagthehostfield

0 Karma
Highlighted

Re: server tags

Communicator

I follow the same steps.
I associate the tag=abc against below host and I can see the tag when I explore the event like below

index=aix host=sssss

but when I use the
tag=abc

I can't see anything. might some permission issue. I am login as normal user.

0 Karma
Highlighted

Re: server tags

SplunkTrust
SplunkTrust

A tag defined on the host field doesn't have any knowledge of the index, try this:

index=aix tag=abc
0 Karma
Highlighted

Re: server tags

Legend

Hi rashid47010
I like to use tags associated to eventtypes, so I create an eventtype like this

my_index=my_index sourcetype=my_sourcetype (host=hostAS1 OR host=hostAS2)

associating to it tag=applicationserver
and then

my_index=my_index sourcetype=my_sourcetype (host=hostOS1 OR host=hostOS2)

associating to it tag=onlineservices

In this way I can use them instead searches (your search became tag=applicationserver OR tag=onlineservices) and you can easily manage changes in architecture (e.g. inserting an additional server) modifying only eventtype instead all searches.

Have a good year.
Bye.
Giuseppe

0 Karma
Highlighted

Re: server tags

Communicator

great idea, but unfortunately for some services I have 15 to 20 servers. my next plan to tag them based on zones. and then tag them as internal resources or external.

so at the end all host have three type of tags.

1- based on application
2- based on DMZ zones
3- based on internal or external location( internal means within the network and external means coming from internet)

0 Karma
Highlighted

Re: server tags

Legend

Ok what is the problem? you'll have more than two tags but every way you can easily manage them in only one point.
In addition think (if possible) to use the the same tag for different eventtypes: e.g. if I need to monitor login of different systems (Win, Linux, appliances, ...), I can create one eventtype for each sourcetype and use for all of them the tag=LOGIN, in this way with only one tag I can search on different logs.
Bye.
Giuseppe

0 Karma