Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Tags: Whats the best way to see all that is tagged

Michael_Wilde
Splunk Employee
Splunk Employee
‎06-12-2010 05:16 PM

I am working on a project where several people are going in to a Splunk server and tagging hosts. (Tagging is used, in this case to denote the person responsible for extracting fields on a host AND to set the state of tagging.. like "done" or "in process".

Is there a smart way to see all hosts that have been tagged, what their tags are (and conversely, which hosts haven't been tagged).

I know i could do a search on "* NOT (host::tag::fx_done OR host::tag::fx_wip)" but that wouldn't be efficient as I don't really need events.. just metadata.

Previous versions of Splunk had the tags listed next to host metadata on the Summary page.

Thoughts?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎06-12-2010 05:54 PM 
| metadata type=hosts | tags | search NOT (tag::host=fx_done OR tag::host=fx_wip)

will add the tags for each host to the metadata as an MV field, and then you can search on them.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎06-12-2010 05:54 PM 
| metadata type=hosts | tags | search NOT (tag::host=fx_done OR tag::host=fx_wip)

will add the tags for each host to the metadata as an MV field, and then you can search on them.

Reply
Solved! Jump to solution

gilescope
Explorer
‎08-21-2014 12:04 AM

Is there a way of subsetting to the tags definined in a particular app?

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎06-12-2010 06:41 PM

huh, what do you know. totally undocumented. i wonder if it's supposed to be.

0 Karma
Reply
Solved! Jump to solution

Michael_Wilde
Splunk Employee
Splunk Employee
‎06-12-2010 06:20 PM

I didnt' think | tags was still a search command. It doesn't show up in the search assistant. I should have just tried it.. but then again, its a worthy question for others to know. Thanks for the answer G.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎06-12-2010 05:56 PM

the tags command is the same one that was used to retrieve and display the tags in the dashboards in 3.x, and still works in 4.x. It's just the dasboards have changed and no longer display them.

Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...