Knowledge Management

Tags: Whats the best way to see all that is tagged

Michael_Wilde
Splunk Employee
Splunk Employee

I am working on a project where several people are going in to a Splunk server and tagging hosts. (Tagging is used, in this case to denote the person responsible for extracting fields on a host AND to set the state of tagging.. like "done" or "in process".

Is there a smart way to see all hosts that have been tagged, what their tags are (and conversely, which hosts haven't been tagged).

I know i could do a search on "* NOT (host::tag::fx_done OR host::tag::fx_wip)" but that wouldn't be efficient as I don't really need events.. just metadata.

Previous versions of Splunk had the tags listed next to host metadata on the Summary page.

Thoughts?

Tags (1)
1 Solution

gkanapathy
Splunk Employee
Splunk Employee
| metadata type=hosts | tags | search NOT (tag::host=fx_done OR tag::host=fx_wip)

will add the tags for each host to the metadata as an MV field, and then you can search on them.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee
| metadata type=hosts | tags | search NOT (tag::host=fx_done OR tag::host=fx_wip)

will add the tags for each host to the metadata as an MV field, and then you can search on them.

gilescope
Explorer

Is there a way of subsetting to the tags definined in a particular app?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

huh, what do you know. totally undocumented. i wonder if it's supposed to be.

0 Karma

Michael_Wilde
Splunk Employee
Splunk Employee

I didnt' think | tags was still a search command. It doesn't show up in the search assistant. I should have just tried it.. but then again, its a worthy question for others to know. Thanks for the answer G.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

the tags command is the same one that was used to retrieve and display the tags in the dashboards in 3.x, and still works in 4.x. It's just the dasboards have changed and no longer display them.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...