Splunk does a wonderful job of searching through all of the data you’ve indexed, based upon your search command pipeline. There are times though that you can add additional intelligence to the search that Splunk cannot add on its own – perhaps this information is specific to your organizational structure, like host names or server names. Rather than typing this information within the Search pipeline each time, you can create a knowledge object in the form of a Splunk search tag.
Search Tags
To help you search more efficiently for particular groups of event data, you can assign one or more tags to any field/value combination (including event type, host, source, or source type) and then do your searches, based on those tags.
Tagging field value pairs
You can use Splunk Web to create your tags directly from your search results. As an example, I’ve indexed multiple Cognos TM1 server logs into my Splunk server. These logs are generated from many different TM1 Admin servers but are all indexed by one Splunk server. If I’d like to have the ability to search a particular server source without having to qualify in each of my searches, I can create a tag for that server.
In a resulting search, I can select any event that has the field value pair that I want to tag, then:
1. Click on the arrow next to that event:
2. Under Actions, click on the arrow next to that field value:
3. Now select Edit Tags:
4. Create your tag and click Save:
In my example, I created a tag named “TM1-2” that specifies a particular TM1 server source. In the future, I can then use that tag to further narrow my search and isolate events that occurred only in that server log:
tag=TM1-2 product x plan
You can use the tag to narrow down the search (like in my example above) by using the following syntax:
tag=<tagname>
Or, you can even further narrow down your search by associating your tag to a specific field using the following syntax:
tag::<field>=<tagname>
Use wildcards to search for tags
As a Splunk Master, you can “get wild” and use the asterisk (*) as a wildcard when searching using your Tags. For example, if you have multiple event-type tags for various types of TM1 servers, such as TM1-1 and TM1-99, you can search for all of them with:
tag::eventtype=TM1-*
If you wanted to find all hosts whose tags contain “22″, you can search for the tag:
tag::host=*22*
Here is an interesting example that I have yet to utilize (although you’ll find it in several places in the Splunk documentation): if you wanted to search for the events with event types that have no tags associated with them, you can search for the Boolean expression:
NOT tag::eventtype=*
Wildcards in general
Wildcard support makes searching very flexible, however it is important to understand that the “more flexible” (or less specific) you’re Splunk searches are, the less efficient they will become. It is recommended that care be taking when using wildcards within your searches.
Splunk On!