Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using tags to search other fields

mcm10285
Communicator
‎03-21-2013 12:45 PM

I'm trying to find a way to use tags to be used in search as such that the tag entries are cross-matched to the search. This would sound like a job for lookups but is there a way to use the tag?

I found this link (below), but I'm not sure it works for me or if I did anything wrong.

    eventtype=foo [search tag::host=tagname | dedup host | fields host | rename host as foo_field]...

http://splunk-base.splunk.com/answers/1325/using-host-tags-or-similar-when-searching-on-fields

  • My objective: To get the same result as the search below.

    eventtype=foo ip1 OR ip2 OR ip3|table foo_field field1 field2

    foo_field is a field from the eventtype that would correspond to the ip1, ip2, ip3, etc.

  • Given: tagname: host=ip1, host=ip2, host=ip3

Except for using lookup table, any other ideas?

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-21-2013 02:08 PM

Assuming search tag::host=tagname yields events from hosts ip1, ip2, and ip3, the first subsearch should build a search something like this:

eventtype=foo (foo_field=ip1 OR foo_field=ip2 OR foo_field=ip3)

That's different from your desired search eventtype=foo ip1 OR ip2 OR ip3, for that you could modify the subsearch into this:

eventtype=foo [search tag::host=tagname | return $host]

This will build a search something like this:

eventtype=foo (ip1 OR ip2 OR ip3)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-22-2013 09:35 AM

I see, you want an entire list of tags... the REST API is the way to go then, using the rest command in the search language and this endpoint: http://docs.splunk.com/Documentation/Splunk/5.0.2/RESTAPI/RESTknowledge#search.2Ftags.2F.7Btag_name....

0 Karma
Reply

mcm10285
Communicator
‎03-22-2013 09:12 AM

Thanks for this. However I don't think it will work since it is still looking into the "host=ip1" as the log source and just returning that value as something to pass from the subsearch. What I need is a search to look into the values of all defined in the tag and pass them to the main search.

It looks like lookup table is the way to go.

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...