Splunk SOAR
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Delete Unused tags

sayala
New Member
‎09-30-2024 10:55 AM

We use dynamic tags, like ticket numbers or alert IDs on all of our containers.

We have a retention policy that deletes containers after a year of them not being updated. I would like something that removes all the unused tags, similar to that retention policy. So, if a tag with an event ID is no longer being used, it will delete the tag. We currently have thousands of tags and it starts to bug the UI. 

0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎10-02-2024 01:16 AM

@sayala Firstly, I would say this is a "not best practise" use of tags for the reasons you are coming up against now. 

Surely something like a custom field would be better as you can both populate and use in anyway you want and it comes into Splunk too with the container data if you are using the tags for trending etc?

I can't see a REST endpoint for tag management at a system level as this would be your best option to do it at any scale. 

Unfortunately, for now and without a lot of potential digging, you will need to delete manually. 

I would advise you to think of a different way though otherwise you will face a buggy UI going forward. 

Hope this helped!? Happy SOARing

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-30-2024 11:28 AM

Are the tags indexed in Splunk?  If so, they cannot be deleted.  The tags will go away based on the retention policy for the index in which they are stored.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sayala
New Member
‎10-01-2024 10:15 AM

Just to be clear, this is specifically for Splunk SOAR. I would like to delete unused tags on SOAR containers. I do understand that i can go to Administration -> Administration Settings -> Tags and manually delete them, but we have thousands and without manually checking each one, I am not sure what its in use. I would like to be able to delete everything that is no longer in use on containers. 

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...