Hi fronbinson
Tags aren't saved searches as far as im aware (although they may be in the context of the api..) - although I have tried using the search endpoint to run them (without any success I may add).
Ill take a look at your documentation at some stage and see if I can get it working! thanks for the pointer.
My use case shouldn't be important to the question, however to add some context it is the following (please feel free to suggest alternatives which may work better):
We are creating application containers (via docker) to create and destruct application tiers as required - the splunk integrated will also be automated. A forwarder will be sitting inside each application container and then a script will start the service and link to our search head (for deployer) and indexer. There will be multiple 'apps' which contain all the scripts and config for each application tier. As part of the initiate script a tag will be sent which says the host is 'active', then when the container is destroyed the tag for the unique hostname (the host is being overridden to ensure its unique) will be updated to 'inactive'. This will ensure any monitoring we have on that agent is disabled without any risk to the historical data.
One way we could of done it was to change the hostname upon 'destruct' to contain _inactive - however any historical events would have a different hostname then. I would prefer instead to have a tag which can be dynamic and change based upon our requirements and would affect all data.
... View more