It would be best not to use tags , but instead add metadata fields at index time (and do not use field name tag ) with settings like this:
In props.conf:
[host::<WindowsHost1of800>]
TRANSFORMS-meta_windows_type = meta_windows_type
[host::<LinuxHost1of800>]
TRANSFORMS-meta_linux_type = meta_linux_type
In transforms.conf:
[meta_windows_type]
REGEX = .
FORMAT = type::windows
DEST_KEY = _meta
[meta_linux_type]
REGEX = .
FORMAT = type::linux
DEST_KEY = _meta
https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureindex-timefieldextraction
... View more