Solved: Tags Disappear When Changing Permissions

mmclain1 · ‎01-07-2013

I created a tag with a field value pair of host=server1* called test. Everything works great until I try to change the permissions on it so my colleagues can use it. I set the permission from Private to App where everyone can read it and only admin can write. When I save this change, the Tag name disappears, but the field value pair remains.
When I click the field value pair to edit the tags associated with it, I re-add the test tag, save, but the Tag Name area is still blank. What gives?

emiller42 · ‎01-07-2013

Were you trying to use a wildcard in the tag? (%2A = *)

[host=server1*]
test = enabled

That's not something you can do in tags. Each host=value pair must be explicitly defined. So if you have server10, server11, server12, then you need three separate tags defined.

[host=server10]
test = enabled

[host=server11]
test = enabled

[host=server12]
test = enabled

Yes, this sucks when you have a lot of servers.

View solution in original post

emiller42 · ‎01-07-2013

Were you trying to use a wildcard in the tag? (%2A = *)

[host=server1*]
test = enabled

That's not something you can do in tags. Each host=value pair must be explicitly defined. So if you have server10, server11, server12, then you need three separate tags defined.

[host=server10]
test = enabled

[host=server11]
test = enabled

[host=server12]
test = enabled

Yes, this sucks when you have a lot of servers.

mmclain1 · ‎01-07-2013

Ah, that explains it. Thanks!

mmclain1 · ‎01-07-2013

/opt/splunk/etc/apps/search/local/tags.conf:
[host=server1%2A]
test = enabled

Nothing in the other file.

Also, when I go to "List by tag name", there are no tags listed...

emiller42 · ‎01-07-2013

What are you seeing in tags.conf? Look in both the etc/apps//local folder and etc/users///local.

Tags Disappear When Changing Permissions

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes