Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sorting results by time when an event was tagged

cr019283
New Member
‎02-08-2017 02:35 AM

I collect data over a period of time and one in the team can add a tag to collected events; and some of the events were added a year ago, some of them within hours or days.

For example, with this query:

index=collected_events | stats count(tag) by tag

I would like to see stats about all recently tagged events even if they are very old.

Is it possible to query only for events that got tags within the last hour or day (basically I need tag creation time instead of event import time)?

Can splunk sort details based on time when tag was added rather than when data was added to the index?

Can I display the content of tags.conf from the search box for example to make a join query?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-08-2017 05:06 AM

The creation time of a tag is not known to the search, all tags apply to all old data by design.
To work around this you could "tag" your data with lookups. Say you want to tag data by the host field, you'd create a lookup with these three columns:

host, host_tag, valid_from

Then anyone "tagging" hosts would add a row to this lookup, including the time from which the tag should apply. This lookup would be configured as an automatic time-based lookup to magically only apply from the valid_from time and onwards.

To display available tags, you can make REST calls from the search bar like this:

| rest splunk_server=local /services/saved/fvtags | table title tags eai:acl.app author
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-08-2017 07:44 AM

I think you're not looking for tags then. You'd need to build a place to store the fact "row xyz was tagged as foo on date", e.g. in a lookup file or kvstore.

0 Karma
Reply

cr019283
New Member
‎02-08-2017 06:24 AM

Thank you for a quick response. I think it doesn't solve my use case as I would like to get exact time when a tag was added to a given row rather than when a tag was created.

For example, I could create a tag called 'important' and start adding it to various events, and then I would like to see last tagged ones. What I need is probably a timestamp of the last modification, if we can call adding 'a tag' a modification.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...