Knowledge Management

to list the tags pertaining to some name

piyush_annadate
New Member

I'm trying to search tags created as "tag::source".

This returns data: "tag::source"=$hostlabel$_* | stats count by "tag::source" ,but that returns like each count goes more than 100 and even in 10k+which will eventually lie down slow to searching/populating result.

I just needs to list the "tag::source"=$hostlabel$_* which could be "tag::source"=JIRA* (example).
wherein I'll limit the count to max 10

tag::source....... count
JIRA_A............... 10
JIRA_B............... 8
JIRA_C................ 10 (without limit this results more than 10k)

Tags (2)
0 Karma

jkat54
SplunkTrust
SplunkTrust
 "tag::source"=$hostlabel$_* | dedup "tag::source" | head 10 | table "tag::source"

Or maybe you're looking for this

 "tag::source"=$hostlabel$_* | dedup "tag::source" | table "tag::source"
0 Karma

somesoni2
SplunkTrust
SplunkTrust

If you're just trying list all the tags defined for field source, you can use the Splunk REST API endpoint for tags.

| rest /servicesNS/admin/search/search/fields/host/tags
0 Karma

piyush_annadate
New Member

thanks for the reply .
tried that.. will that be possible to fire from the search itself.
Working on: Made some tags and one of the tag search for files abc.log* as there are file with abc.log.2017-01-01 and other so the exact file abc.log doesn't get listed under tag related to that host.

When I ran | rest /services/search/tags query I got the data but not my tag which where created. Which sevices/rest to call?
I have tags like "tag::source"=JIRA_ACCESS_LOGS

I would like to have tag that matched XYZ_*.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try one of these REST Endpoints

 | rest /servicesNS/-/-/search/fields/host/tags

 | rest /servicesNS/-/-/search/tags
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...