I am working on a project where several people are going in to a Splunk server and tagging hosts. (Tagging is used, in this case to denote the person responsible for extracting fields on a host AND to set the state of tagging.. like "done" or "in process".
Is there a smart way to see all hosts that have been tagged, what their tags are (and conversely, which hosts haven't been tagged).
I know i could do a search on "* NOT (host::tag::fx_done OR host::tag::fx_wip)" but that wouldn't be efficient as I don't really need events.. just metadata.
Previous versions of Splunk had the tags listed next to host metadata on the Summary page.
Thoughts?
| metadata type=hosts | tags | search NOT (tag::host=fx_done OR tag::host=fx_wip)
will add the tags for each host to the metadata as an MV field, and then you can search on them.
| metadata type=hosts | tags | search NOT (tag::host=fx_done OR tag::host=fx_wip)
will add the tags for each host to the metadata as an MV field, and then you can search on them.
Is there a way of subsetting to the tags definined in a particular app?
huh, what do you know. totally undocumented. i wonder if it's supposed to be.
I didnt' think | tags was still a search command. It doesn't show up in the search assistant. I should have just tried it.. but then again, its a worthy question for others to know. Thanks for the answer G.
the tags
command is the same one that was used to retrieve and display the tags in the dashboards in 3.x, and still works in 4.x. It's just the dasboards have changed and no longer display them.