How can we check if tag exists?

danielbb · ‎12-16-2019

We are trying the following -

index=<index name>
| head 4000 
| eval containstag = if(tag="*", "true", "false") 
| stats 
    count(eval(containstag="true")) as totaltags,
    count(_raw) as totalevents
    by index

Nothing comes back and removing the double quotes - if(tag=*, "true", "false") throws a syntax error.

What can we do?

to4kawa · ‎12-16-2019

index=<index name> | head 4000
 | eval containstag = if(isnull(tag), "false", "true")
 | stats count(eval(containstag="true")) as totaltags, count as totalevents by index

richgalloway · ‎12-16-2019

"*" is not a valid tag name and is not treated as a wildcard by if. Try this query:

... | eval containstag = if(match(tag, ".*"), 1, 0)
| stats sum(containstag) as totaltags, count as totalevents by index

---
If this reply helps you, Karma would be appreciated.

danielbb · ‎12-16-2019

And -

 index=<index name> | head 4000
| eval containstag = if(tag::eventtype="*", "true", "false")
| stats 
  count(eval(containstag="true")) as totaltags,
  count(_raw) as totalevents
  by index

Here, we get a syntax error on if(tag::eventtype="*", "true", "false").

How can we check if tag exists?

tag

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life