Knowledge Management

Using tags to search other fields

mcm10285
Communicator

I'm trying to find a way to use tags to be used in search as such that the tag entries are cross-matched to the search. This would sound like a job for lookups but is there a way to use the tag?

I found this link (below), but I'm not sure it works for me or if I did anything wrong.

    eventtype=foo [search tag::host=tagname | dedup host | fields host | rename host as foo_field]...

http://splunk-base.splunk.com/answers/1325/using-host-tags-or-similar-when-searching-on-fields

  • My objective: To get the same result as the search below.

    eventtype=foo ip1 OR ip2 OR ip3|table foo_field field1 field2
    

    foo_field is a field from the eventtype that would correspond to the ip1, ip2, ip3, etc.

  • Given: tagname: host=ip1, host=ip2, host=ip3

Except for using lookup table, any other ideas?

Tags (1)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Assuming search tag::host=tagname yields events from hosts ip1, ip2, and ip3, the first subsearch should build a search something like this:

eventtype=foo (foo_field=ip1 OR foo_field=ip2 OR foo_field=ip3)

That's different from your desired search eventtype=foo ip1 OR ip2 OR ip3, for that you could modify the subsearch into this:

eventtype=foo [search tag::host=tagname | return $host]

This will build a search something like this:

eventtype=foo (ip1 OR ip2 OR ip3)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I see, you want an entire list of tags... the REST API is the way to go then, using the rest command in the search language and this endpoint: http://docs.splunk.com/Documentation/Splunk/5.0.2/RESTAPI/RESTknowledge#search.2Ftags.2F.7Btag_name....

0 Karma

mcm10285
Communicator

Thanks for this. However I don't think it will work since it is still looking into the "host=ip1" as the log source and just returning that value as something to pass from the subsearch. What I need is a search to look into the values of all defined in the tag and pass them to the main search.

It looks like lookup table is the way to go.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...