Using tags on resources allows an IT department to better organize cloud-based resources. Tags facilitate the identification of assets running specific work loads, department ownership, business process priority, and cost related information. However, with such a flexible design, tag management and analysis are challenging to review and manage. You can use this search to identify the most frequent tags and tag values in use across your infrastructure.
Microsoft: Azure resource data
- Configure the Splunk Add-on for Microsoft Cloud Services.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype=mscs:resource:* | dedup id | foreach tags.* [| eval newtags = mvappend(coalesce(newtags, ""), "<<MATCHSTR>>"." : ".'<<FIELD>>')] | eval newtags=coalesce(custom_tag,newtags) | mvexpand newtags | table id newtags type | eval mysplit = split(newtags, " : ") | eval tag_name=mvindex(mysplit,0), tag_value=mvindex(mysplit,1) | top limit=0 tag_name by type | table type tag_name percent
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Search only Azure resource data.
|| dedup id||Obtain the most recent tags per resource.|
|| foreach tags.*
[| eval newtags = mvappend(coalesce(newtags, ""), "<<MATCHSTR>>"." : ".'<<FIELD>>')]
|For each tag, evaluate a new field named newtags and format the tags with a colon ( : ) between the tag name and tag value.|
|| eval newtags=coalesce(custom_tag,newtags)||Coalesce the custom_tag and newtags fields.|
|| mvexpand newtags||Expand values in a multivalue field into separate events, one event for each value in the multivalue field.|
|| table id newtags type||Return the fields id, newtags and type fields.|
|| eval mysplit = split(newtags, " : ")||Split string values on the delimiter and return the string value as a multivalue field.|
|| eval tag_name=mvindex(mysplit,0), tag_value=mvindex(mysplit,1)||Create tag_name and tag_value fields.|
|| top limit=0 tag_name by type||Calculate a count and percentage of the frequency the values occur in the events.|
|| table type tag_name percent||Format the results for use with the treemap visualization.|
The SPL in this procedure and the corresponding treemap visualization are one of many ways to visualize and analyze tag data. You can modify the SPL and visualizations to analyze the data in a way that is more relevant to your organizations use of tagging. For example, you might want to visualize all resources using the same tag name, which can help you analyze how much infrastructure is supporting a particular application or how much infrastructure is supporting non-production workloads.
Here is an example treemap visualization:
You might also be interested in other processes associated with the Managing Azure cloud infrastructure use case.