tag=usb

hendriks · ‎02-26-2021

So when searching tag=usb, I get an message telling me : "The term 'usb*:' contains a wildcard in the middle of a word or string. This might cause inconsistent results if the characters that the wildcard represents include punctuation", but i did not add the wildard there myself.

So anyone has any idea where this comes from. One of the things I could think of this comes from an add-on, somewhere..

While investigating this a little bit more I also see funky errors when searching tag=* for instance.

gcusello · ‎02-26-2021

Hi @hendriks,

Check in [Settings -- Tag] if there's a tag with "*" inside.

Ciao.

Giuseppe

hendriks · ‎03-01-2021

Ah, thank you, no tags with "*" or any other wildcard inside.

I see there is eventtype=nix_usb that has 3 tags, os, unix, usb, this eventtype comes from Splunk_TA_nix.

So no luck there.

When I search for tag=* I also get the message that tag=usb* has a wildcard.

gcusello · ‎03-01-2021

Hi @hendriks,

see in File System in $SPLUNK_HOME/etc/apps/Splunk_TA_nix/default/tags.conf and $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/tags.conf: sometimes there's an error, you ahould also find the same error in Splunk start-up from console.

if you don't find it, try using the btool command:

$SPLUNK_HOME/bin/splunk cmd btool tag list --debug

Ciao.

Giuseppe

tag=usb

tag

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?