to list the tags pertaining to some name

piyush_annadate · ‎02-28-2017

I'm trying to search tags created as "tag::source".

This returns data: "tag::source"=$hostlabel$_* | stats count by "tag::source" ,but that returns like each count goes more than 100 and even in 10k+which will eventually lie down slow to searching/populating result.

I just needs to list the "tag::source"=$hostlabel$_* which could be "tag::source"=JIRA* (example).
wherein I'll limit the count to max 10

tag::source....... count
JIRA_A............... 10
JIRA_B............... 8
JIRA_C................ 10 (without limit this results more than 10k)

jkat54 · ‎03-01-2017

 "tag::source"=$hostlabel$_* | dedup "tag::source" | head 10 | table "tag::source"

Or maybe you're looking for this

 "tag::source"=$hostlabel$_* | dedup "tag::source" | table "tag::source"

somesoni2 · ‎02-28-2017

If you're just trying list all the tags defined for field source, you can use the Splunk REST API endpoint for tags.

| rest /servicesNS/admin/search/search/fields/host/tags

piyush_annadate · ‎02-28-2017

thanks for the reply .
tried that.. will that be possible to fire from the search itself.
Working on: Made some tags and one of the tag search for files abc.log* as there are file with abc.log.2017-01-01 and other so the exact file abc.log doesn't get listed under tag related to that host.

When I ran | rest /services/search/tags query I got the data but not my tag which where created. Which sevices/rest to call?
I have tags like "tag::source"=JIRA_ACCESS_LOGS

I would like to have tag that matched XYZ_*.

somesoni2 · ‎03-01-2017

Try one of these REST Endpoints

 | rest /servicesNS/-/-/search/fields/host/tags

 | rest /servicesNS/-/-/search/tags

to list the tags pertaining to some name

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases