Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using tags to search other fields

mcm10285
Communicator
‎03-21-2013 12:45 PM

I'm trying to find a way to use tags to be used in search as such that the tag entries are cross-matched to the search. This would sound like a job for lookups but is there a way to use the tag?

I found this link (below), but I'm not sure it works for me or if I did anything wrong.

    eventtype=foo [search tag::host=tagname | dedup host | fields host | rename host as foo_field]...

http://splunk-base.splunk.com/answers/1325/using-host-tags-or-similar-when-searching-on-fields

  • My objective: To get the same result as the search below.

    eventtype=foo ip1 OR ip2 OR ip3|table foo_field field1 field2

    foo_field is a field from the eventtype that would correspond to the ip1, ip2, ip3, etc.

  • Given: tagname: host=ip1, host=ip2, host=ip3

Except for using lookup table, any other ideas?

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-21-2013 02:08 PM

Assuming search tag::host=tagname yields events from hosts ip1, ip2, and ip3, the first subsearch should build a search something like this:

eventtype=foo (foo_field=ip1 OR foo_field=ip2 OR foo_field=ip3)

That's different from your desired search eventtype=foo ip1 OR ip2 OR ip3, for that you could modify the subsearch into this:

eventtype=foo [search tag::host=tagname | return $host]

This will build a search something like this:

eventtype=foo (ip1 OR ip2 OR ip3)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-22-2013 09:35 AM

I see, you want an entire list of tags... the REST API is the way to go then, using the rest command in the search language and this endpoint: http://docs.splunk.com/Documentation/Splunk/5.0.2/RESTAPI/RESTknowledge#search.2Ftags.2F.7Btag_name....

0 Karma
Reply

mcm10285
Communicator
‎03-22-2013 09:12 AM

Thanks for this. However I don't think it will work since it is still looking into the "host=ip1" as the log source and just returning that value as something to pass from the subsearch. What I need is a search to look into the values of all defined in the tag and pass them to the main search.

It looks like lookup table is the way to go.

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...