Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Where to place tags.conf?

a212830
Champion
‎03-08-2017 07:49 AM

Hi,

I want to create some tags and associate them with an index. Where would tags.conf be put? Search Head? Indexer?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

muebel
SplunkTrust
SplunkTrust
‎03-08-2017 08:01 AM

Hi a212830,

Generally you would want to create an eventtype (some particular search, could just be index="your_index" and then set tag_name=enabled for that eventtype in tags.conf.

Both eventtypes and tags are search time operations, and so this config only needs set on whatever instance you are searching from.

Please let me know if this answers your question! 😄

View solution in original post

0 Karma
Reply
Solved! Jump to solution

dcsre
Observer
‎09-14-2022 06:47 AM

Old thread here, but I'm having trouble getting the tag to show up in  console searches after restarting the host forwarder service. Running 8.2.5 server and 9.0.0.1 forwarder agent.

/splunkforwarder/etc/system/local/tags.conf content:
[host=server01]
myapp = enabled

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-08-2017 09:59 AM

On your Search Head(s).

0 Karma
Reply
Solved! Jump to solution
Solution

muebel
SplunkTrust
SplunkTrust
‎03-08-2017 08:01 AM

Hi a212830,

Generally you would want to create an eventtype (some particular search, could just be index="your_index" and then set tag_name=enabled for that eventtype in tags.conf.

Both eventtypes and tags are search time operations, and so this config only needs set on whatever instance you are searching from.

Please let me know if this answers your question! 😄

0 Karma
Reply
Solved! Jump to solution

a212830
Champion
‎03-08-2017 08:26 AM

Makes sense, just not working. I have an app on my license manager, and put an eventtypes.conf and a tags.conf and restarted it. The eventtype is recognized, but I can't find the tag.

eventtypes.conf:
[network_index]
search = index=network

tags.conf:
[eventtype=network_index]
costBU = GNS

When I look for tags in the gui, they don't appear. I'm doing this as admin.

0 Karma
Reply
Solved! Jump to solution

muebel
SplunkTrust
SplunkTrust
‎03-08-2017 08:32 AM

the format for tags is <tagname> = [enabled|disabled]

so, costBU = enabled or GNS = enabled

0 Karma
Reply
Solved! Jump to solution

a212830
Champion
‎03-08-2017 09:49 AM

Ok, so that enables the tag? Can I populate it?

0 Karma
Reply
Solved! Jump to solution

muebel
SplunkTrust
SplunkTrust
‎03-08-2017 10:01 AM

Correct, that enables the tag. Once set, and splunk is reloaded/restarted, when you run searches you'll find the tag field show up for any events that match that eventtype, and therefore that tag.

You can also directly search for a tag, i.e. tag="costBU" OR tag="GNS"

0 Karma
Reply
Solved! Jump to solution

a212830
Champion
‎03-08-2017 10:28 AM

Got it. Thanks!

Reply
Solved! Jump to solution

muebel
SplunkTrust
SplunkTrust
‎03-08-2017 12:08 PM

sure thing, glad to help! 😄

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...