TrackMe Tags enrichment

Introduction to tags enrichments

Hint

About Tags in TrackMe

  • Tags are used to provide additional context to the entities

  • Tags can be used for filtering purposes in the user interface

  • Tags can be used for alerting purposes

  • Tags can be used for additional context in the user interface

tags_overview.png

Implementing tags enrichments in TrackMe (all components)

Extension of Tags features for all components in TrackMe 2.0.98

  • Since TrackMe version 2.0.98, tags enrichments are available for all components in TrackMe with the exact same level of features, and user experience.

Tags enrichments in TrackMe can be defined by:

  • Tags policies: Automated rules that assign tags to matching entities. Tags policies support two modes:

    • Regex-based policies match regular expressions against entity names to assign tags.

    • Lookup-based policies leverage existing Splunk lookups (CSV or KVstore) to assign tags based on field mappings, making it easy to integrate with a CMDB or asset inventory.

  • Manual Tags: In addition, you can manually add tags to the entities from the user interface.

Accessing, defining and managing tags policies

TrackMe supports the management of tags via policy, which can be defined per Virtual Tenant:

  • Tags policies allow you to automate tag assignment across entities using regex-based or lookup-based rules.

  • Regex-based policies match regular expressions against the entity name (object field) and assign a defined set of tags.

  • Lookup-based policies leverage existing Splunk lookups (CSV or KVstore) to assign tags based on field mappings, making it easy to integrate with a CMDB or asset inventory.

  • Multiple matching policies: Multiple policies can match a given entity. Tags from all matching policies (both regex and lookup) are merged together (union-based).

  • Lower case: Tags are automatically stored in lower case format.

  • Tags submission: These policies are monitored by a scheduled job named trackme_<component_suffix>_tags_tracker_tenant_<tenant_id>.

  • Removing tags policies: When tags policies are removed, the tags associated with entities from the removed policies are removed from the entities automatically.

  • Tags in the KVstore records: Tags are stored in the entities KVstore records, and can be used for alerting filtering purposes.

  • Tags in the user interface: Tags are displayed in the user interface for the entities.

Accessing the policy management screen:

  • From any Tenant Home page, click the Manage: tags policies button

policies_editor1.png

Lookup-based policies

Lookup-based policies leverage existing Splunk lookup transforms (CSV files or KVstore collections) to assign tags to entities based on field mappings. This is the recommended approach when integrating with an external CMDB, asset inventory, or any structured data source.

Creating a lookup-based policy:

  • Click Create new policy and select the Lookup mode

  • Enter a policy identifier (or let TrackMe auto-generate one)

  • Select a Splunk lookup transform from the dropdown — TrackMe lists all available lookup transforms in your Splunk environment

  • Configure field mappings to map lookup fields to entity fields — for example, map the lookup field index to the entity field data_index, and the lookup field host to the entity field object

  • Select the tags field — the field in the lookup that contains the tag values

  • Optionally configure the tags separator — the character used to split multiple tags from a single lookup field value (default: ,)

  • Select the match mode: Exact (case-insensitive string matching) or Wildcard (supports * and ? patterns)

  • Click Simulate to preview which entities would be matched and what tags would be assigned

Lookup policy configuration details

  • Field mappings: Define how lookup fields map to entity fields. All mapped fields must match for an entity to be selected. For example, if you map indexdata_index and hostobject, both conditions must be satisfied.

  • Tags field: The column in the lookup containing the tag value(s) (e.g., a tags or category column).

  • Tags separator: The character used to split multiple tags within a single lookup cell. For example, if a lookup cell contains network,critical, the default separator , will produce two tags: network and critical.

  • Match modes: Exact performs case-insensitive string comparison. Wildcard supports * (matches any characters) and ? (matches a single character) for flexible pattern matching.

Regex-based policies

Regex-based policies match a regular expression pattern against the entity name (object field). When the pattern matches, the configured tags are assigned to the entity.

Creating a regex-based policy:

  • Click Create new policy and select the Regex mode

  • Enter a policy identifier (or let TrackMe auto-generate one)

  • Enter the regex pattern to match against entities

  • Enter the tags to assign to matched entities (comma-separated)

  • Click Simulate to preview which entities would be matched before saving

Tags policies usage example (regex)

In the following example, we have a number of entities which have incoming some patterns we can leverage for tags policies purposes:

  • geo-locations: the entities naming convention includes the source location of these feeds

  • technology information: we can also leverage some of these information to associate these entities with technology related context tags

Example of tags policies definition:

In this example, we are going to rely on the index naming convention to define tags, so we can automatically classify TrackMe entities.

In short, we are going to apply the simple following logic:

geographical location:

regular expression

tags

.*_na_.*

north_america

.*_eu_.*

europe

.*_uk_.*

united_kingdom

technology information:

regular expression

tags

.*_syslog:.*

network

.*_linux:.*

os

Once configured in TrackMe’s UI:

tags_policies_overview.png

Tag merging and conflict resolution

When multiple policies (regex, lookup, or a mix of both) match the same entity, TrackMe applies union-based tag merging: all tags from all matching policies are combined into the entity’s tag list.

  • Tags are always stored in lower case and deduplicated.

  • There is no conflict resolution needed — tags from all matching policies are merged together.

  • For example, if a regex policy assigns network and a lookup policy assigns critical,production to the same entity, the entity will receive all three tags: critical, network, production.

Running the policy tracker

After creating one or more policies, you can execute the policy tracker to apply all configured policies to your entities:

  • Click the Run policy tracker button in the policy management screen

  • TrackMe will evaluate all regex and lookup policies against all entities in the selected component

  • A summary of the results is displayed, including the number of entities updated, matched, and any errors encountered

Tags can be used for filtering purposes in the user interface:

tags_filter_ui.png

Tags can also be accessed per entity, and modified from here too:

tags_review1.png tags_review2.png

Tags are parts of TrackMe notable events, so you can use these for filtering, enrichment, decision making and so forth:

index=trackme_notable tenant_id=<replace with tenant_id>
dsm_tag_policies18.png

Tags are included in the trackme:state events:

index=trackme_summary sourcetype="trackme:state" tenant_id=<replace with tenant_id>
tags_trackmestate.png

Tags can be accessed through the TrackMe get collection command, which renders entities from Decision Maker (same as the UI view):

| trackmegetcoll tenant_id=<tenant_id> component=<component_suffix>
command_get_records.png command_get_records2.png

Troubleshoot tags policies

Tags policies tracker

The first component is the scheduled job which applies the tags policies to the entities, this job is called as follows:

  • trackme_<component_suffix>_tags_tracker_tenant_<tenant_id>

troubleshoot1.png

This jobs should be scheduled, and properly executed:

troubleshoot2.png

You can find its logs as follows:

index=_internal sourcetype=trackme:custom_commands:trackmesplktags

When you have multiple tenants, you may want to filter on the tenant identifier:

index=_internal sourcetype=trackme:custom_commands:trackmesplktags tenant_id=<replace with tenant_id>

In case of any issues with the tags policies, ensure that the job exists, is scheduled and executes properly and continue with the following steps.

Tags policies REST API endpoint

The scheduled job calls the REST API endpoint to apply the tags policies, you can review the logs for this endpoint as follows:

index=_internal sourcetype=trackme:rest_api post_tag_policies_apply

With multiple tenants, filter on the tenant identifier:

index=_internal sourcetype=trackme:rest_api post_tag_policies_apply tenant_id=<replace with tenant_id>
troubleshoot3.png

In case of issues, carefully review the logs and verify if there are exceptions or issues with the tags policies:

index=_internal sourcetype=trackme:rest_api post_tag_policies_apply log_level=error

The REST API endpoint can be applied manually as well, you can easily get the list of endpoints and their usage, review the REST API reference dashboard:

troubleshoot4.png

In fact, you can apply the tags policies manually:

| trackme mode=post url="/services/trackme/v2/splk_tag_policies/write/tag_policies_apply" body="{'tenant_id': '<replace with the tenant id>'}"
troubleshoot5.png

Tags policies KVstore collection

When tags policies are applied, TrackMe entities get a record with the list of associated tags, if any:

| inputlookup trackme_dsm_tags_tenant_<replace with tenant id>
troubleshoot6.png

When TrackMe trackers are executed, tags records are automatically crossed enriched with the entities records to form the final entities records tags fields:

| inputlookup trackme_dsm_tenant_<replace with tenant id> | table object, *tags*
troubleshoot7.png