Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Listing all tags in the search interface

gfriedmann
Communicator
‎09-18-2010 12:25 AM

I have been tagging hosts to aid in searching by environment, service, sub-service

I would like to make a dashboard widget that lists all the services for a particular environment.

Is there a search query i can use to dynamically list all tags in the system or app?

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-18-2010 02:15 AM

This will do it:

| metadata type=hosts | tags | mvexpand tag::host | dedup tag::host | fields tag::host

If you need to drill down, you should be able to modify the standard dashboard a bit, just to select the right field name(s).

BTW, and maybe this is too late for you to consider, but I would strongly recommend for this purpose that you consider a lookup table (with a lookup on host returning each of your other fields) rather than tags. In some ways, they are much easier to manage, and you will be able to search by, e.g., environment=prod service=webserver rather than tag::host=env-prod tag::host=serv-webserver.

View solution in original post

Reply
Solved! Jump to solution

dbroggy
Path Finder
‎01-23-2021 06:44 PM

none of the above queries seem to work.

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-18-2010 02:15 AM

This will do it:

| metadata type=hosts | tags | mvexpand tag::host | dedup tag::host | fields tag::host

If you need to drill down, you should be able to modify the standard dashboard a bit, just to select the right field name(s).

BTW, and maybe this is too late for you to consider, but I would strongly recommend for this purpose that you consider a lookup table (with a lookup on host returning each of your other fields) rather than tags. In some ways, they are much easier to manage, and you will be able to search by, e.g., environment=prod service=webserver rather than tag::host=env-prod tag::host=serv-webserver.

Reply
Solved! Jump to solution

gfriedmann
Communicator
‎09-20-2010 04:04 PM

Thank you. Tags seemed more natural to me and i understand them already. I'll investigate the lookup table. I suspect lookup tables would be cached in RAM for it to be speedy. I can see how exporting "tag" type info from another system would be easier with a lookup table.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-18-2010 09:09 AM

It would be no worse and probably better to use lookup tables than tags.

0 Karma
Reply
Solved! Jump to solution

southeringtonp
Motivator
‎09-18-2010 03:56 AM

Are you suggesting the lookup table approach specifically because he's hitting metadata, as opposed to raw results? If searching against actual events, wouldn't there be a (possibly severe) performance penalty?

0 Karma
Reply
Solved! Jump to solution

gfriedmann
Communicator
‎09-18-2010 12:55 AM

I think i got a little closer with
|metadata type=hosts | fields host| tags| search tag::host=*| fields - host

If that is closer, now i need to figure out how to breakup the multiline, dedupe, and make the drill-down work. I'm hoping there is an easy query i'm missing.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...