Knowledge Management

tags.conf in an app/local/tags.conf not working

hartfoml
Motivator

I have an app that I built for a user group. There log on will be restricted by tags. I put the tags.conf file in there app so that I can edit it easily when needed. I ran the (http(s)://splunk_server:port/en-US/debug/refresh) to get the tags running but I am still getting an "Unable to find tag" error during the search's that were built for there app.

Does the tags.conf need to be in system or search app???

1 Solution

alacercogitatus
SplunkTrust
SplunkTrust

The tags need to be exported to the system if you are going to use them for logon restriction (just my feeling). If only limited to the specific app, then when they navigate to another app, the tags won't be found. Add this into your metadata/local.meta.conf file.

[tags]
access = read : [ * ], write : [ admin ]
export = system

View solution in original post

alacercogitatus
SplunkTrust
SplunkTrust

The tags need to be exported to the system if you are going to use them for logon restriction (just my feeling). If only limited to the specific app, then when they navigate to another app, the tags won't be found. Add this into your metadata/local.meta.conf file.

[tags]
access = read : [ * ], write : [ admin ]
export = system

hartfoml
Motivator

This makes sense but I am getting the can't find tag even while in the app. I added the lines above and there was not change. still getting the "unable to find tag" while in the app.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Are you sure the tag is defined correctly? Please paste the tags.conf as well as your restriction configuration.

hartfoml
Motivator

[BKUP]

na = enabled

[DA02]

na = enabled

[F01]

na = enabled

[OPS1]

na = enabled

[S02]

na = enabled

in the restrictions I put this

index=os AND tag="na"

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

You have to specify a field name. http://docs.splunk.com/Documentation/Splunk/6.1.3/admin/tagsconf

[host=BKUP]
na = enabled

[host=DA02]
na = enabled

And so on and so forth. Once you have the fields defined - a debug/refresh?entity=admin/tags should pull it in for you to use.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...