to list the tags pertaining to some name

piyush_annadate · ‎02-28-2017

I'm trying to search tags created as "tag::source".

This returns data: "tag::source"=$hostlabel$_* | stats count by "tag::source" ,but that returns like each count goes more than 100 and even in 10k+which will eventually lie down slow to searching/populating result.

I just needs to list the "tag::source"=$hostlabel$_* which could be "tag::source"=JIRA* (example).
wherein I'll limit the count to max 10

tag::source....... count
JIRA_A............... 10
JIRA_B............... 8
JIRA_C................ 10 (without limit this results more than 10k)

jkat54 · ‎03-01-2017

 "tag::source"=$hostlabel$_* | dedup "tag::source" | head 10 | table "tag::source"

Or maybe you're looking for this

 "tag::source"=$hostlabel$_* | dedup "tag::source" | table "tag::source"

somesoni2 · ‎02-28-2017

If you're just trying list all the tags defined for field source, you can use the Splunk REST API endpoint for tags.

| rest /servicesNS/admin/search/search/fields/host/tags

piyush_annadate · ‎02-28-2017

thanks for the reply .
tried that.. will that be possible to fire from the search itself.
Working on: Made some tags and one of the tag search for files abc.log* as there are file with abc.log.2017-01-01 and other so the exact file abc.log doesn't get listed under tag related to that host.

When I ran | rest /services/search/tags query I got the data but not my tag which where created. Which sevices/rest to call?
I have tags like "tag::source"=JIRA_ACCESS_LOGS

I would like to have tag that matched XYZ_*.

somesoni2 · ‎03-01-2017

Try one of these REST Endpoints

 | rest /servicesNS/-/-/search/fields/host/tags

 | rest /servicesNS/-/-/search/tags

to list the tags pertaining to some name

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability