Knowledge Management

server tags

rashid47010
Communicator

Hi everyone
I have four server. two are web portal and two are application servers. all four servers belongs to one online service. Now for my simple understanding I want to tag them as service name so when i give below query I should see the events from all those four servers.

tag=onlineapplication

how can I do that

Tags (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi rashid47010
I like to use tags associated to eventtypes, so I create an eventtype like this

my_index=my_index sourcetype=my_sourcetype (host=hostAS1 OR host=hostAS2)

associating to it tag=applicationserver
and then

my_index=my_index sourcetype=my_sourcetype (host=hostOS1 OR host=hostOS2)

associating to it tag=onlineservices

In this way I can use them instead searches (your search became tag=applicationserver OR tag=onlineservices) and you can easily manage changes in architecture (e.g. inserting an additional server) modifying only eventtype instead all searches.

Have a good year.
Bye.
Giuseppe

0 Karma

rashid47010
Communicator

great idea, but unfortunately for some services I have 15 to 20 servers. my next plan to tag them based on zones. and then tag them as internal resources or external.

so at the end all host have three type of tags.

1- based on application
2- based on DMZ zones
3- based on internal or external location( internal means within the network and external means coming from internet)

0 Karma

gcusello
SplunkTrust
SplunkTrust

Ok what is the problem? you'll have more than two tags but every way you can easily manage them in only one point.
In addition think (if possible) to use the the same tag for different eventtypes: e.g. if I need to monitor login of different systems (Win, Linux, appliances, ...), I can create one eventtype for each sourcetype and use for all of them the tag=LOGIN, in this way with only one tag I can search on different logs.
Bye.
Giuseppe

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

There are several ways to get there, one is to go to the top right corner of the UI Settings -> Tags -> Add new

http://docs.splunk.com/Documentation/Splunk/6.5.1/Knowledge/Tagthehostfield

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

A tag defined on the host field doesn't have any knowledge of the index, try this:

index=aix tag=abc
0 Karma

rashid47010
Communicator

I follow the same steps.
I associate the tag=abc against below host and I can see the tag when I explore the event like below

index=aix host=sssss

but when I use the
tag=abc

I can't see anything. might some permission issue. I am login as normal user.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...