Tags allow you to attach a marker to the fields and event types in Splunk. You can then search and report on these tags later. Let's attach a tag to a couple of users who are administrators. Start with the following search:
sourcetype="impl_splunk_gen" | top user
This search gives us a list of our users such as ronnie, tuck, jarde, shelby, and so on:
Let's say that in our group, shelby and steve are administrators. Using a standard search, we can simply search for these two users like this:
sourcetype="impl_splunk_gen" (user=shelby OR user=steve)
Searching for these two users while going forward will still work. However, if we search for the tag value, we can avoid being forced to update multiple saved queries in the future.
To create a tag, we first need to locate the field:
If the user field isn't already visible, click on it in the field picker, and then click on Select and show in results:
From our listed events, you can select an event and click on the arrow in the column i:
Next, we can click the Actions arrow for the field to create a tag for, and select Edit Tags:
This opens the Create Tags dialog as shown in the following screenshot:
Let's tag user=steve with admin:
We now see our tag next to the field user:
Once this is done, follow the same steps for user=shelby. With these two users tagged, we can search for the tag value instead of the actual usernames:
sourcetype="impl_splunk_gen" tag::user="admin"
Under the covers, this query is unrolled into exactly the same query that we started with. The advantage is that if this tag is added to new values or removed from existing ones, no queries have to be updated.
Some other interesting features of tags are as follows:
- Tags can be searched globally simply by using tag=tag_name; in this case, tag=admin. Using this capability, you can apply any tag to any field or event type, and simply search for the tag. This is commonly used in security applications to tag hosts, users, and event types that need special monitoring.
- Any field or event type can have any number of tags. Simply choose the tag editor and enter multiple tag values separated by spaces.
- To remove a tag, simply edit the tags again and remove the value(s) you want to remove.
- Tags can also be edited in Settings at Settings | Tags.