TAGS not showing in Field Discovery panel when a w...

Rob_Jordan · ‎05-29-2012

I should mention that both the standard and wildcard tags both return search results, but the wildcard tag does not show up in the field discovery panel.
All of the following searches work:

tag=QA
tag=*
tag::host=QA
tag::host=*

Field Discovery Working:
Here's an example of a tag I've created which shows as a field in the format of tag::host.

Tag Name: QA
Field value pair: host=abcd.com

Field Discovery Not working:
When I add the wildcard to cover variations of the hostname i.e. short and long, the search works and returns results, but I do not see the field tag::host in the field discovery panel.

Tag Name: QA
Field value pair: host=abcd*

Thanks,

Rob

bkahlerventer · ‎09-16-2014

Wildcards are allowed from 6.x onwards as far as I know, but the tags still does not show in the field discovery panel.

I suspect that the field discovery panel receive its collection of fields before the tags are added to the event. The best is to log a Case with Splunk if you have a Support Contract.

mrodriguez360 · ‎08-27-2012

You can't use wildcards when tagging.
http://splunk-base.splunk.com/answers/2953/wildcard-support-in-tag-definitions

TAGS not showing in Field Discovery panel when a wildcard is used

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?