Splunk Search

Can I create and delete tags using search expressions in Splunk 4.0?

maverick
Splunk Employee
Splunk Employee

The tagcreate and tagdelete commands existed in Splunk 3.x, but they do not seem to be supported in Splunk 4.0.

Any idea when they are expected to return to Splunk 4.0?

OR

Perhaps they are being replaced by something better?

Tags (1)
1 Solution

Lowell
Super Champion

Have you considered using lookups instead? Lookups certainly do not replace tags, but they do functionally overlap in certain situations and you may find that lookup are are more natural solution. (You haven't given any details as to what you are trying to do, so lookups may or may not be a good option for you.) I know there are a number of places where we used tags in Splunk 3.x (because that was the best option then) and we are now moving to using lookups in Splunk 4.0+.

I'm guessing that you were using tagcreate from a saved search in Splunk 3.x? If so, you may be able to use lookups in 4.0. In Splunk 4.0+, you can use saved searches to generate lookup tables: Take a look at the action.populate_lookup.* settings in the savedsearches.conf reference.

If you want to append your lookup table instead of replace it each time your saved search runs, you should be able to leverage the inputlookup command's append=t option. For example, if your saved search creates a lookup table named my_lookup.csv, then you should be able to use a search pattern like this in your saved search:

<<base search>> | fields + key val1 val2 | inputlookup append=t my_lookup.csv | dedup key

Lookups also have the advantage of being able to match against more than one field, and can can return more than one value as well as adding a simple date-effectivity into the mix. Whereas tags tie only to a single field, and can't represent changes over time.

View solution in original post

Lowell
Super Champion

Have you considered using lookups instead? Lookups certainly do not replace tags, but they do functionally overlap in certain situations and you may find that lookup are are more natural solution. (You haven't given any details as to what you are trying to do, so lookups may or may not be a good option for you.) I know there are a number of places where we used tags in Splunk 3.x (because that was the best option then) and we are now moving to using lookups in Splunk 4.0+.

I'm guessing that you were using tagcreate from a saved search in Splunk 3.x? If so, you may be able to use lookups in 4.0. In Splunk 4.0+, you can use saved searches to generate lookup tables: Take a look at the action.populate_lookup.* settings in the savedsearches.conf reference.

If you want to append your lookup table instead of replace it each time your saved search runs, you should be able to leverage the inputlookup command's append=t option. For example, if your saved search creates a lookup table named my_lookup.csv, then you should be able to use a search pattern like this in your saved search:

<<base search>> | fields + key val1 val2 | inputlookup append=t my_lookup.csv | dedup key

Lookups also have the advantage of being able to match against more than one field, and can can return more than one value as well as adding a simple date-effectivity into the mix. Whereas tags tie only to a single field, and can't represent changes over time.

Lowell
Super Champion

Yeah, I'm interested in the official answer to that question as well. But the thought occurred to me that lookups could be a substitute or even an enhancement in certain use cases, so I figured I'd share that with the hopes that it may help you or someone else in the future, even if these commands are re-introduced. But yeah, an official answer would be greatly appreciated.

0 Karma

maverick
Splunk Employee
Splunk Employee

Great suggestions and thank you for the response. Much appreciated.

However, I was just wanting to know specifically about the current state of the tagcreate and tagdelete commands and if we have officially retired them or if we are planning to bring them back in the future sometime, similar to how we had Live Tail in 3.4.x, then when 4.0.x came out last year, that feature was "missing" until recently when 4.1.x was released, and now its back and better than ever. Make sense?

0 Karma

Justin_Grant
Contributor

wow, a downvote. tough crowd. seems like a legit question to me. +1.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...