Splunk 简明教程
Splunk - Tags
标签用于给定的字段和值组合指定名称。这些字段可以是事件类型、主机、源或源类型等。您还可以使用标签对一组字段值进行分组,以便您可以使用一个命令对它们进行搜索。例如,您可以将星期一生成的所有不同文件标记为名为 mon_files 的标签。
Tags are used to assign names to specific field and value combinations. These fields can be event type, host, source, or source type, etc. You can also use a tag to group a set of field values together, so that you can search for them with one command. For example, you can tag all the different files generated on Monday to a tag named mon_files.
为了找到我们要标记的字段值对,我们需要展开事件并找到要考虑的字段。下图显示了我们如何展开事件以查看字段 −
To find the field-value pair which we are going to tag, we need to expand the events and locate the field to be considered. The below image shows how we can expand an event to see the fields −
Creating Tags
我们可以使用 Edit Tags 选项将标签值添加到字段值对中,如下所示,来创建标签。我们选择“操作”列下的字段。
We can create tags by adding the tag value to field-value pair using Edit Tags option as shown below. We choose the field under the Actions column.
下一个屏幕提示我们定义标签。对于“状态”字段,我们选择状态值为 503 或 505,并分配一个名为 server_error 的标签,如下所示。我们必须通过选择两个事件分别进行该操作,每个事件的状态值分别为 503 和 505。下图显示了状态值为 503 的方法。对于状态值为 505 的事件,我们必须重复相同的步骤。
The next screen prompts us to define the tag. For the Status field, we choose the status value of 503 or 505 and assign a tag named server_error as shown below. We have to do it one by one by choosing two events, each with the events with status value 503 and 505. The image below shows the method for status value as 503. We have to repeat the same steps for an event with status value as 505.
