In this section we are going to learn about the Splunk tags and aliases, search time sequence, and search time operation order.
Tags and aliases
We may have groupings of events with similar field values in our results. We can add tags and aliases to our data to scan for these classes of event data more efficiently.
Having several tags doesn't affect indexing, but by using lookups, the search should provide a better categorization of events.
Tags allow us to assign names to different combinations of fields and values like type of event, host, source, or source.
Attributes may be used to help track abstract field values, such as IP addresses or ID numbers. For example, with the value 192.168.1.2 we might have an IP address in relation to our main office. Mark the IPaddress value as the main office, and then find events with that IP address to check for that name.
We can also use a tag to group a set of field values together, and we can use one command to scan for them. For example, we have two host names, which apply to the same machine. We may have the same tag for each of those values. When we check for that tag, it returns events that include both values of the host name.
We can offer multiple tags to extracted fields that represent different aspects of their identity, allowing us to perform tag-based searches to help narrow down the search results.
We have an extracted field called IPaddress, which refers to our company intranet's IP addresses of the data sources. Depending on its functionality or location, we can tag every IP address. We can tag all the IP addresses of a routers as multiple routers, and tag every IP address based on its location, such as SF or Building1. An IP address of a router inside Building1 located in San Francisco that have the router, SF, and Building1 tags.
We are using the following search to check for all routers not in Building1, in San Francisco.
Tags and the search-time operations sequence
When we run a search, Splunk software runs multiple operations to derive objects of knowledge and apply them to events returned by the search. Splunk software does these operations in a particular sequence.
Search-time operation order
Tags come last on the search-time list.
The Splunk program applies tags in ASCII sort order to field/value pairs in events. In an event, tags can be applied to any field / value pair, whether extracted at index time, search time, or added through some other method, such as an event type, search, or calculated area.
Aliases in the field allow us to standardize data from multiple sources. We may add several aliases to a field name or use the aliases in these fields to normalize different field names. Using the Field aliases does not rename the original field name or remove it. We can search for it with any of its names aliases if we alias a sector. Alias field names can be found in Splunk Site or props.conf.
We may use aliases to assign a single field name to different extracted field names.
Field aliases are used in all searches for all source types, which can generate much overhead over time.
Field Aliases example
One model of data may have a field named http referrer. This field may be misspelled as http referer in our source info. Use the aliases in the field to catch the misspelled field in our source data and map it to the field name we would expect.
Field aliases and the search-time operations sequence
Search-time operations order
Field aliasing comes fourth in the order of search-time operations, before measured fields but after automated field extraction of the key-value.
Splunk software processes field aliases in ASCII sort order, which belong to a specific host, source, or source type. For fields extracted at index time or search time, we can create aliases. For fields that are added to events by search-time operations which come after the field aliasing process, we cannot establish aliases.