Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to tag all events from clients to defined "groups"

romainbouajila
Path Finder
‎10-20-2020 07:52 PM

Hello

I would like to add a tag to our Splunk clients by location.

I found how to create eventtypes on the server side but I am searching to tag all events directly on the client (in server.conf or inputs.conf maybe ?)

Is it doable ? If yes, what setting should I edit ?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-21-2020 01:52 AM

Hi @romainbouajila,

the advantage to use eventtypes is that every updates has to be done in only one point, so if your hostnames chage you has to update only one eventtype.

Anyway, are you sure that your eventtyper change frequently? it's a strange thing!

If instead the problem is that you haven't a rule (e.g. italian servers tart with IT), you can list all the hosts of a group. e.g. eventtype italian_HT will be:

(host=server1 OR host=server3 OR host=server4)

as I said, if your list will change, you have to update only one eventtype.

Otherwise, you could use a lookup correlating each host to a tag, but in this way you have to manage the lookup, in my opinion the choice dependa on the user that has to manage the list:

  • for a Splunk admin it's easier to manage an eventtype,
  • for a Splunk user it's easier to manage a lookup using Lookup Editor.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎10-20-2020 09:26 PM
Hi
The file is tags.conf and it’s editable on SH-layer.
r. Ismo
Reply
Solved! Jump to solution

romainbouajila
Path Finder
‎10-20-2020 09:58 PM

Hello,

 

This solution implies to maintain a list of all our hosts on the Search Head if we want them all to be in a defined "group".

Isn't it possible to tag all logs from the client side ? (maybe tag is not the appropriate setting)

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-20-2020 11:22 PM

Hi @romainbouajila,

the way to tag events is very easy, this is the process for one group, that you can repeat for more groups:

  • you have to create a search that identify a group of hosts (e.g. al the hosts that names start with IT are italian server),
  • than save this search as an eventype (e.g. italian_host),
  • associate to this eventtype one or more tags (e.g.: IT),
  • you can eventually create more divided eventtypes (e.g. italian hosts of HR dept.) associating to this eventtype more tags (e.g. IT, HR).

In this way you can create a search calling tags (e.g. you can call all the italian hosts using a simple search tag=IT).

I used this approach for an app that classifies all the login, logout and logfail events:

  • I created for each technology I had three eventtypes,
  • associating to each one a tag for the technology (e.g. WIN)
  • and a tag for the action (e.g. LOGIN),
  • in this way I was able to call the login events of all my technologies using a single tag (tag=LOGIN).

Ciao.

Giuseppe

Reply
Solved! Jump to solution

romainbouajila
Path Finder
‎10-21-2020 12:31 AM

Thank you for your answer.

My issue is that we change many times naming convention for our servers, so I can't use the hostnames to identify location.

Since we have no pattern in hostnames or ip ranges for location, I am afraid of the maintainability of this solution (at every new server, edit the eventtype search to add it)

I would like to be able to deploy it from the client side, at the vm creation. What would be the appropriate solution for this case ?

0 Karma
Reply
Solved! Jump to solution

romainbouajila
Path Finder
‎10-21-2020 01:29 AM

Should I stick to tags or should I check how to add metadata ?

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-21-2020 01:52 AM

Hi @romainbouajila,

the advantage to use eventtypes is that every updates has to be done in only one point, so if your hostnames chage you has to update only one eventtype.

Anyway, are you sure that your eventtyper change frequently? it's a strange thing!

If instead the problem is that you haven't a rule (e.g. italian servers tart with IT), you can list all the hosts of a group. e.g. eventtype italian_HT will be:

(host=server1 OR host=server3 OR host=server4)

as I said, if your list will change, you have to update only one eventtype.

Otherwise, you could use a lookup correlating each host to a tag, but in this way you have to manage the lookup, in my opinion the choice dependa on the user that has to manage the list:

  • for a Splunk admin it's easier to manage an eventtype,
  • for a Splunk user it's easier to manage a lookup using Lookup Editor.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...