• About this manual
  • What's in this guide?
• About Splunk
  • About Splunk
  • About Splunk licenses
    • Which license?
    • Install your license
    • License violations
• Tutorial
  • About this tutorial
    • Requirements
    • Log in
    • Splunk Web
    • Command line interface (CLI)
  • Simple searches
    • Index data
    • Search
    • Narrow your search
    • Use the timeline
  • Search results
    • Events and fields
    • Filter on fields
    • Define custom fields
    • Tag fields
    • Collect snapshots
  • Event types
    • Find similar events
    • Save as event type
    • Search for an event type
    • Tag an event type
    • Automated event type discovery
  • Save options
    • Save a search
    • Schedule the search
    • Schedule an alert
  • Reports
    • Report on results
    • Report on fields
    • Build new reports
    • Pick different charts
    • Add a report to your dashboard
  • More searches
    • Report
    • Transform
    • Re-order
    • Filter
    • Evaluate
    • Add a comparison
    • Use subsearches
  • CLI searches
• Use the Splunk Command Line Interface (CLI)
  • The Splunk CLI
    • Access help in the CLI
    • CLI commands
    • auth and uri parameters
    • Note for Mac users
    • Start live tail
  • Search in the CLI
    • CLI Search syntax
    • Asynchronous searches (dispatch CLI command)
    • CLI search parameters
• Use form search
  • Form search
    • Run a form search
• Use Live Tail
  • Live tail
    • Use live tail in Splunk Web
    • The live tail interface
    • Start live tail from the CLI
    • Current limitations
• Use transaction search
  • Transactions
    • Example use cases
    • The transaction search command
    • Example transaction searches
    • Transactions and macro search
    • When to not use transactions
• Use tagging
  • About tags
    • Search for events containing tags
    • Configure tags
    • Configure roles for tagging
• Use reporting
  • Chart gallery
    • Column (or bar) chart
    • Stacked column (or bar) chart
    • Line chart
    • Area chart
    • Stacked area chart
    • Scatter plot
    • Pie graph
    • Doughnut graph
    • Bubble graph
    • Heat map
  • Examples of useful reports
    • Internal Splunk log data
    • System monitoring data
    • Web access data
    • Web application data
    • Firewall (or connection) activity
    • Email activity or email transactions
    • Transaction data
• Search reference
  • Splunk search
    • Generate search results
    • Construct searches
    • Types of search
    • Save and schedule searches
    • Tune search performance
  • Search syntax
    • Keyword search
    • Literals ("quotes")
    • Wildcards
    • Punctuation marks
    • Boolean operators
    • Comparison operators
  • Search pipeline syntax
    • Search pipeline syntax
    • Subsearch syntax
• Field reference
  • Fields
    • Use fields in Splunk Web
    • Field syntax
    • Field naming
    • Multi-value fields
  • Field list
    • _index
    • _raw
    • _time
    • date_hour
    • date_mday
    • date_minute
    • date_month
    • date_second
    • date_wday
    • date_year
    • date_zone
    • eventtype
    • host
    • linecount
    • punct
    • source
    • sourcetype
    • timestamp
• Modifier reference
  • Modifiers
    • Modifier syntax
    • Modifier precedence
  • Search modifiers
    • eventtypetag
    • hosttag
    • savedsearch
    • tag
  • Time modifiers
    • daysago
    • enddaysago
    • endhoursago
    • endminutesago
    • endmonthsago
    • endtime
    • hoursago
    • minutesago
    • monthsago
    • searchtimespandays
    • searchtimespanhours
    • searchtimespanminutes
    • searchtimespanmonths
    • startdaysago
    • starthoursago
    • startminutesago
    • startmonthsago
    • starttime
    • starttimeeu
    • timeformat
• Search command reference
  • Search commands
    • Commands that support multi-value fields
    • Conventions used in the search reference
    • Command index
  • Data-generating commands
    • file
    • savedsearch
    • search
  • Filter and re-order
    • dedup
    • head
    • localize
    • regex
    • reverse
    • set
    • sort
    • tail
    • where
  • Transforming and reporting commands
    • associate
    • chart
    • cluster
    • contingency
    • correlate
    • diff
    • format
    • highlight
    • rare
    • stats
    • strcat
    • timechart
    • top
    • transaction
    • typelearner
    • xmlunescape
  • Evaluate
    • abstract
    • addtotals
    • anomalousvalue
    • bucket
    • convert
    • eval
    • fields
    • fillnull
    • kmeans
    • outlier
    • rename
    • replace
  • Extracting commands
    • extract
    • iplocation
    • multikv
    • rex
    • typer
    • xmlkv
  • Administrative commands
    • admin
    • audit
    • run
• CLI command reference
  • Splunk Command Line Interface (CLI)
    • CLI commands
    • auth and uri parameters
    • Note for Mac users

About tags

Tags help you group search results that share field values. Attach a name, or tag, to a group of results that share the same value of an indexed field (for example: event type, host, or source), or an extracted field. Apply any number of tags to a any field, event type, host, or source (Learn how to tag fields).

Example:
If you have an extracted field IPaddresses that contains IP addresses of your data sources, you can make it useful by tagging each IP address based on its functionality or location. You can tag all of your routers' IP addresses as router. You can also tag each IP address based on its location, for example: SF or Building1. An IP address of a router located in San Francisco inside Building 1 could have tags router, SF, and Building1.

If you want to search for all routers in San Francisco that are not in building 1, you search for the following:

For another example of using tags to search, you can watch this Splunk developer video.

Source type aliases

Source type aliases are similar to tags except you can only apply a single alias to one (or more) source types and only one alias to a single source type. Read more about Sourcetype aliasing.

Search for events containing tags

Search for tags by using the tag search modifier. The following examples show how to search for events using the tag modifier.

When you tag a host or source, Splunk adds the tag next to the host or source in the main dashboard. Search using the tags in the main dashboard by clicking on them. Splunk adds hosttag="tagname" in the search bar when you click on a host tag, and tag::source="tagname" when you click on a source tag.

The following examples search for events that have the field date_year tagged with the tag "2007".

tag::field::tag

Example:

tag::field=tag

Example:

tag=tag

Example:

Configure tags

Splunk allows you to configure and share tags easily by storing tag information in the tags.conf configuration file. Learn how to configure tags via tags.conf.

Configure roles for tagging

Define specific capabilities for tagging in your role configuration. A Splunk administrator must define the ability to create, edit, or delete tags in your role configuration by editing authorize.conf.