Tags in Splunk are useful for grouping events with related field values. Unlike Event Types, which are based on specified search commands, Tags are created and mapped to specific field-value combinations. Multiple Tags can be assigned to the same field-value combination.
A common scenario of using Tags is for classifying IP addresses. In the Eventgen logs, three IP addresses are automatically generated. We will create Tags against these IP addresses to allow us to classify them:
| IP address | Tags |
| 10.2.1.33 | main, patched, and east |
| 10.2.1.34 | main, patched, and west |
| 10.2.1.35 | backup and east |
We are going to group IP addresses by purpose, patch status, and geolocation in the server farm of three servers represented in our Eventgen data. We will achieve this using Tags, as shown in the following steps:
- Begin by using the following search command:
SPL> index=main server_ip=10.2.1.33
- Expand the first event by clicking on the information field, as seen in this screenshot:
- While expanded, look for the server_ip field. Click on the Actions dropdown and select Edit Tags:
- In the Create Tags window, fill in the Tag(s) text area using the following screenshot as a guide. For 10.2.1.33, you will use the following Tags: main, patched, and east.
- Click on Save when you're done.
- Do the same for the remaining two IP addresses and create Tags based on the previous table.
- To see Tags in action, run the following search command:
SPL> index=main tag=patched OR tag=east
This will give you all the events that come from the servers that are patched or located in the east. You can then combine these with other search commands or an Event Type to narrow down the search results.
Consider a scenario where you need to find all booking payments with errors originating from the servers in east.
Without Event Types or Tags, you would create a search command such as:
SPL> index=main server_ip=10.2.1.33 OR server_ip=10.2.1.35
AND (http_uri=/booking/payment http_status_code=500)
Compare that to this much more elegant and shorter search command:
SPL> eventtype=bad_payment tag=east
Here's an additional exercise for you. Create Tags for the following fields using this table as a guide and use them in a search query. Remember to begin your search with index=main and then the field and value, to get the correct results to apply the Tag:
| Field and value | Tags |
| http_uri = /destination/LAX/details | major_destination |
| http_uri = /destination/NY/details | major_destination |
| http_uri = /destination/MIA/details | home |
| http_status_code = 301 | redirect |
| http_status_code = 404 | not_found |
Now, you can use these Tags to search for bookings to major destinations that have a status code Tag of not_found. Here is an example of a search command that combines what you have learned in this chapter so far:
- Go ahead and run this now:
SPL> eventtype=destination_details tag=major_destination
tag=not_found
- Look through your results and see that you now have data from the destinations LAX and NY, where the response code indicates the page was not found.