How do I automatically tag new results?

I need to create a custom chart in splunk and be able to tag the results of that search with a ticket number for tracking purposes. I run into issues when I run the search right now because only one host is tagged. The search is related to virus infections and new infections will happen quite often. Is there any way when I run my search, to automatically tag the new results that do not have a tag yet with "New"

example:

search ..................... | chart count by tag::src (this only returns results if the hosts have already been tagged). I tried to use the fillnull value=New tag::src but that did not work.

asked 21 Apr '10, 15:00

mctester
822●6●6●42
accept rate: 100%

One Answer:

oldest newest most voted

No, there really isn't any such functionality in the product, at least not that would work for what you're trying to do. Yours isn't the first request for such, but I would file an Enhancement Request with Splunk Support (a P4 ticket here http://www.splunk.com/page/submit_issue) because the more people ask for it, the sooner it'll get done.

link

answered 21 Apr '10, 15:19

gkanapathy ♦
32.4k●4●8●27
accept rate: 41%

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

search-help ×229
tags ×76

Asked: 21 Apr '10, 15:00

Seen: 821 times

Last updated: 21 Apr '10, 15:19

How do I automatically tag new results?

Follow this question

Splunk Resources

Related questions