Splunk is indexing performance data for % disk space free for production and development linux and windows servers. I have two saved search which reports where % disk space is less than 10% for Windows and Linux.
The Production servers would have a different IP address range to that of the development servers.
I need to now refine the saved search to only search where % disk space free is less than 10% on production servers. I have read about tagging where I could tag all the production servers. In my saved search I could then update it to include tag=Production. This would then only pull back Production servers.
Is there any other way I could distinguish from within my saved search my production servers from my development servers?
You could also use a lookup, and I would say that if you have more than a few thousand servers, you should use lookups instead of tags. Aside from that, yeah go for tags.
Tagging is designed specifically for this and would be the best approach given your need. Is there something i'm missing as to why you wouldn't want to do it this way?