Solved: How do I automatically tag new results?

mctester · ‎04-21-2010

I need to create a custom chart in splunk and be able to tag the results of that search with a ticket number for tracking purposes. I run into issues when I run the search right now because only one host is tagged. The search is related to virus infections and new infections will happen quite often. Is there any way when I run my search, to automatically tag the new results that do not have a tag yet with "New"

example:

search ..................... | chart count by tag::src (this only returns results if the hosts have already been tagged). I tried to use the fillnull value=New tag::src but that did not work.

gkanapathy · ‎04-21-2010

No, there really isn't any such functionality in the product, at least not that would work for what you're trying to do. Yours isn't the first request for such, but I would file an Enhancement Request with Splunk Support (a P4 ticket here http://www.splunk.com/page/submit_issue) because the more people ask for it, the sooner it'll get done.

View solution in original post

gkanapathy · ‎04-21-2010

No, there really isn't any such functionality in the product, at least not that would work for what you're trying to do. Yours isn't the first request for such, but I would file an Enhancement Request with Splunk Support (a P4 ticket here http://www.splunk.com/page/submit_issue) because the more people ask for it, the sooner it'll get done.

How do I automatically tag new results?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...