Splunk Search

Listing all tags in the search interface

gfriedmann
Communicator

I have been tagging hosts to aid in searching by environment, service, sub-service

I would like to make a dashboard widget that lists all the services for a particular environment.

Is there a search query i can use to dynamically list all tags in the system or app?

Tags (3)
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

This will do it:

| metadata type=hosts | tags | mvexpand tag::host | dedup tag::host | fields tag::host

If you need to drill down, you should be able to modify the standard dashboard a bit, just to select the right field name(s).

BTW, and maybe this is too late for you to consider, but I would strongly recommend for this purpose that you consider a lookup table (with a lookup on host returning each of your other fields) rather than tags. In some ways, they are much easier to manage, and you will be able to search by, e.g., environment=prod service=webserver rather than tag::host=env-prod tag::host=serv-webserver.

View solution in original post

dbroggy
Path Finder

none of the above queries seem to work.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

This will do it:

| metadata type=hosts | tags | mvexpand tag::host | dedup tag::host | fields tag::host

If you need to drill down, you should be able to modify the standard dashboard a bit, just to select the right field name(s).

BTW, and maybe this is too late for you to consider, but I would strongly recommend for this purpose that you consider a lookup table (with a lookup on host returning each of your other fields) rather than tags. In some ways, they are much easier to manage, and you will be able to search by, e.g., environment=prod service=webserver rather than tag::host=env-prod tag::host=serv-webserver.

gfriedmann
Communicator

Thank you. Tags seemed more natural to me and i understand them already. I'll investigate the lookup table. I suspect lookup tables would be cached in RAM for it to be speedy. I can see how exporting "tag" type info from another system would be easier with a lookup table.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

It would be no worse and probably better to use lookup tables than tags.

0 Karma

southeringtonp
Motivator

Are you suggesting the lookup table approach specifically because he's hitting metadata, as opposed to raw results? If searching against actual events, wouldn't there be a (possibly severe) performance penalty?

0 Karma

gfriedmann
Communicator

I think i got a little closer with
|metadata type=hosts | fields host| tags| search tag::host=*| fields - host

If that is closer, now i need to figure out how to breakup the multiline, dedupe, and make the drill-down work. I'm hoping there is an easy query i'm missing.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...