Solved: Re: How to enter hosts

Shane · ‎10-21-2010

What is the proper format to put hosts in the tags.conf file?

southeringtonp · ‎10-21-2010

Like this:

[host=yourhostname]
your_first_tagname = enabled
your_second_tagname = enabled

To validate that it's working, run a search for host=yourhostname, and a search for tag::host=your_first_tagname. Both should return the same results.

View solution in original post

Shane · ‎11-23-2010

So I figured out that my problem is that I'm using Splunk on a Windows box. I ended up having the engineer from Splunk that I've been working with contact the author of the app and he said it had to be on a Linux platform. Thanks for all the help everyone.

View solution in original post

Shane · ‎11-23-2010

So I figured out that my problem is that I'm using Splunk on a Windows box. I ended up having the engineer from Splunk that I've been working with contact the author of the app and he said it had to be on a Linux platform. Thanks for all the help everyone.

mamaral · ‎11-03-2010

It didn't work for me... Could someone please, give a example of tags.conf?

gkanapathy · ‎10-24-2010

I would generally suggest using lookup tables rather than tags, unless you need users to be able to edit tags in the UI.

Shane · ‎10-25-2010

How would I implement lookup tables?

gkanapathy · ‎10-24-2010

no. automatic lookups are reversed and only retrieve matching hosts.

southeringtonp · ‎10-24-2010

Doesn't that introduce a performance penalty if you're trying to search by certain classes of host? e.g., if you have lots of Windows servers, all logging with the same sourcetype, and wanted to search for just events from domain controllers... Wouldn't search tag::host=domain_controller be faster than search lookup_result=domain_controller. I've always thought that the former would be expanded early enough in the process to be able to leverage the host field in the index, where the second would have to pull back data from all hosts before filtering down.

southeringtonp · ‎10-21-2010

Like this:

[host=yourhostname]
your_first_tagname = enabled
your_second_tagname = enabled

To validate that it's working, run a search for host=yourhostname, and a search for tag::host=your_first_tagname. Both should return the same results.

southeringtonp · ‎10-22-2010

And you're entering the hostname exactly the same way in search and in tags.conf? In your messages above, you refer to the machine in several different ways - the unqualified hostname Router1, fqdn router1.mycompany.com, and IP address 10.0.0.1. Make sure that you are picking one form and using the exact same name everywhere. Also, make sure you're putting your tags.conf file in the right place. When in doubt, you probably want it in $SPLUNK_HOME/etc/apps/search/local/tags.conf.

Shane · ‎10-21-2010

I was not testing it that way but now that I have your last statement is correct. When I put the tag:: in front of the word host it doesn't come back with any results.

Shane · ‎10-21-2010

I'm still not seeing anything. Is there a log file I can check out to see what's not working?

southeringtonp · ‎10-21-2010

Try it without the quotes.

Shane · ‎10-21-2010

So now I have in the [host="router1.mycompany.com"] which is what returns results in the search. I'm still not getting anything. Is there something I need to put for the other two lines?

southeringtonp · ‎10-21-2010

It needs to match the value of the host field in the index. Run a search for host="Router1", and run a search for host="10.0.0.1". Whichever of those returns actual results is the one you need to use. A reboot should not be required

Shane · ‎10-21-2010

I know this is going to sound bad but what I tried isn't working.
If my device is named Router1 and the IP is 10.0.0.1 would it be

[host=Router1]
your_first_tagname = enabled
your_second_tagname = enabled

Also, do I have to restart SPUNK when I update the tags.conf file?

How to enter hosts

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout