Configure tags

Configure tags

Splunk stores tag information in the tags.conf configuration file. The tags.conf file enables you to define tags directly in the configuration file. You can also use it to access and edit any tags you've created through Splunk Web. The tags.conf file is located in $SPLUNK_HOME/etc/system/local/. (For more information about managing tags through Splunk Web, see the section on tags in the User Manual.)

With tags.conf, you can:

• Edit the file to add and remove tags
• Share tags among Splunk servers by copying tags.conf from one server to another
• Use the deployment server to push tags to deployment clients
• Back up your tags when you back up your configuration files
• Disable default tags from applications without editing the applications

Note: Splunk doesn't allow the use of wildcards in any part of tags.conf. If you want to include more than one host for tagging, save a search as an event type and tag it.

Configure tags with tags.conf files

When you first create tags in Splunk Web for your Splunk server, Splunk automatically creates a tags.conf file in $SPLUNK_HOME/etc/system/local/. Any tags you create through Splunk Web will show up in this primary tags.conf file.

If you use a Splunk application, you may want to define a separate set of tags that are specific to that application. If that is the case, you need to manually create a tags.conf file in the folder for that application in $SPLUNK_HOME/etc/apps/, and define the tags specific to that application within it. Each Splunk application you use can have its own separate tags.conf file. Keep in mind that even when you are using Splunk applications, tags you create through Splunk Web will always be added by Splunk to the primary tags.conf file in $SPLUNK_HOME/etc/system/local/.

For more information on configuration files in general, see how configuration files work.

In the tags.conf file:

• Stanzas group values for specific fields together, and tags are then associated with these values
• Each stanza line can contain only one tag, but you can use the same tag for multiple values within a stanza
• There can be any number of stanzas, but each stanza refers to just one field in your system
• Each tag in the stanza must be either enabled or disabled
• A stanza can contain any number of tags as long as there is only one tag per line

So the basic syntax of a tags.conf stanza is as follows:

[<field name>]

tag::<value>::<tag> = <enabled|disabled>

The following syntax example shows how you can apply multiple tags to a single field value and associate specific tags with multiple field values:

[<field name>]

tag::<value1>::<tag1> = <enabled|disabled>

tag::<value1>::<tag2> = <enabled|disabled>

tag::<value2>::<tag2> = <enabled|disabled>

tag::<value2>::<tag3> = <enabled|disabled>

In the above syntax example, note that:

• value1 and value2 are each associated with two tags
• tag2 is associated with both value1 and value2

Examples

These examples illustrate how to create, edit, and disable tags in a tags.conf file.

Note: After you make changes to a tags.conf file you must restart Splunk to apply those changes.

Create or edit tags

To create a group of tags for the host field:

• host="localhost" with tags local and dharma
• host="hulk" with tags remote and linuxhost
• All active tags for host are enabled.

[host]
tag::localhost::local= enabled 
tag::localhost::dharma= enabled
tag::hulk::remote = enabled 
tag::hulk::linuxhost = enabled

Note: You can also create tags using the tagcreate function in Splunk Web. For more information, see the topic Manage tags with tagcreate and tagdelete.

Disable tags

To disable the local and dharma tags, change their entries from enabled to disabled:

[host]
tag::localhost::local = disabled 
tag::localhost::dharma = disabled
tag::hulk::remote = enabled
tag::hulk::linuxhost=enabled

Note: You can also disable tags using the tagdelete function in Splunk Web. For more information, see the topic Manage tags with tagcreate and tagdelete.