I'm trying to search tags created as "tag::source".
This returns data: "tag::source"=$hostlabel$_* | stats count by "tag::source"
,but that returns like each count goes more than 100 and even in 10k+which will eventually lie down slow to searching/populating result.
I just needs to list the "tag::source"=$hostlabel$_* which could be "tag::source"=JIRA* (example).
wherein I'll limit the count to max 10
tag::source....... count
JIRA_A............... 10
JIRA_B............... 8
JIRA_C................ 10 (without limit this results more than 10k)
"tag::source"=$hostlabel$_* | dedup "tag::source" | head 10 | table "tag::source"
Or maybe you're looking for this
"tag::source"=$hostlabel$_* | dedup "tag::source" | table "tag::source"
If you're just trying list all the tags defined for field source, you can use the Splunk REST API endpoint for tags.
| rest /servicesNS/admin/search/search/fields/host/tags
thanks for the reply .
tried that.. will that be possible to fire from the search itself.
Working on: Made some tags and one of the tag search for files abc.log* as there are file with abc.log.2017-01-01 and other so the exact file abc.log doesn't get listed under tag related to that host.
When I ran | rest /services/search/tags
query I got the data but not my tag which where created. Which sevices/rest to call?
I have tags like "tag::source"=JIRA_ACCESS_LOGS
I would like to have tag that matched XYZ_*.
Try one of these REST Endpoints
| rest /servicesNS/-/-/search/fields/host/tags
| rest /servicesNS/-/-/search/tags