Manage tags with tagcreate and tagdelete
This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13
Manage tags with tagcreate and tagdelete
All tags are stored in the tags.conf configuration file. This topic shows you how to add tags to tags.conf using the tagcreate and tagdelete search commands and a subsearch.
For more information about editing tags manually with tags.conf, refer to the Admin Manual.
Note: This example is based on the Tagging with Splunk 3.3 feature video, which discusses the tagcreate and tagdelete search commands.
Create tags with tagcreate
Let's say you have a network of machines and a set of users who each have accounts on at least one of the machines. To search for the list of unique users of any one machine, you might use this:
<hostname> user | fields +user | dedup user
where hostname is the name of the machine and user is an extracted field name for the user accounts on the machine. The fields command strips out all the fields from your results except user. The dedup command removes duplicates; the result is a list of unique users.
Now, you want to create tags for each user to indicate which machines they use. To do this, just add the previous subsearch into the search command, tagcreate. For example, to tag users of wexford with wexford_user:
| tagcreate wexford_user [search wexford user | fields +user | dedup user]The tagcreate command adds a list of tags into a stanza in tags.conf. When you tagged the user field in Splunk Web, Splunk added a [user] stanza to the tags.conf file. In each stanza in tags.conf, each tag has its own line:
[user] tag::brian::wexford_user = enabled tag::jason::wexford_user = enabled tag::sophy::wexford_user = enabled tag::barry::wexford_user = enabled
Note: You cannot have multiple tags in a tags.conf stanza line.
Now, Splunk Web includes the tag wexford_user next to the user field name and value. If you want to list all the machines the user can access next to the field, you can run this tagcreate for each hostname.
Disable tags with tagdelete
To disable these tags, use the tagdelete command and the same subsearch:
| tagdelete wexford_user [search wexford user | fields +user | dedup user]For the same set of users, tags.conf now reads:
[user] tag::brian::wexford_user = disabled tag::jason::wexford_user = disabled tag::sophy::wexford_user = disabled tag::barry::wexford_user = disabled
Note: tagdelete does not actually delete tags from tags.conf. It disables them so they do not display in Splunk Web. To remove them, you have to manually edit tags.conf.