Splunk Search
Highlighted

Listing all tags in the search interface

Communicator

I have been tagging hosts to aid in searching by environment, service, sub-service

I would like to make a dashboard widget that lists all the services for a particular environment.

Is there a search query i can use to dynamically list all tags in the system or app?

Tags (3)
Highlighted

Re: Listing all tags in the search interface

Communicator

I think i got a little closer with
|metadata type=hosts | fields host| tags| search tag::host=*| fields - host

If that is closer, now i need to figure out how to breakup the multiline, dedupe, and make the drill-down work. I'm hoping there is an easy query i'm missing.

0 Karma
Highlighted

Re: Listing all tags in the search interface

Legend

This will do it:

| metadata type=hosts | tags | mvexpand tag::host | dedup tag::host | fields tag::host

If you need to drill down, you should be able to modify the standard dashboard a bit, just to select the right field name(s).

BTW, and maybe this is too late for you to consider, but I would strongly recommend for this purpose that you consider a lookup table (with a lookup on host returning each of your other fields) rather than tags. In some ways, they are much easier to manage, and you will be able to search by, e.g., environment=prod service=webserver rather than tag::host=env-prod tag::host=serv-webserver.

View solution in original post

Highlighted

Re: Listing all tags in the search interface

Motivator

Are you suggesting the lookup table approach specifically because he's hitting metadata, as opposed to raw results? If searching against actual events, wouldn't there be a (possibly severe) performance penalty?

0 Karma
Highlighted

Re: Listing all tags in the search interface

Legend

It would be no worse and probably better to use lookup tables than tags.

0 Karma
Highlighted

Re: Listing all tags in the search interface

Communicator

Thank you. Tags seemed more natural to me and i understand them already. I'll investigate the lookup table. I suspect lookup tables would be cached in RAM for it to be speedy. I can see how exporting "tag" type info from another system would be easier with a lookup table.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.