https://community.splunk.com/t5/Knowledge-Management/What-are-the-definitions-of-Tag-and-Eventtype-and-what-are-the/m-p/123106#M1244 <P>Use <CODE>tags</CODE> when you don't need wildcards. Use <CODE>eventtypes</CODE> when you do need wildcards<CODE>. Always prefer</CODE>tags`.</P> Fri, 20 Mar 2020 15:47:36 GMT woodcock 2020-03-20T15:47:36Z https://community.splunk.com/t5/Knowledge-Management/What-are-the-definitions-of-Tag-and-Eventtype-and-what-are-the/m-p/123099#M1237 <OL> <LI><P>What is the definition of the [Tag] is?</P></LI> <LI><P>What is the definition of the [Eventtype] is?</P></LI> <LI><P>What is the point of difference between the [Tag] and [eventtype] is?</P></LI> </OL> Wed, 27 May 2015 02:36:02 GMT https://community.splunk.com/t5/Knowledge-Management/What-are-the-definitions-of-Tag-and-Eventtype-and-what-are-the/m-p/123099#M1237 kedjjang 2015-05-27T02:36:02Z https://community.splunk.com/t5/Knowledge-Management/What-are-the-definitions-of-Tag-and-Eventtype-and-what-are-the/m-p/123100#M1238 <P>An <CODE>eventtype</CODE> is a search that runs when you specify <CODE>eventtype=MyEventType</CODE>; you can think of it like a "pipeless, parameterless <CODE>macro</CODE>" or even like a <CODE>saved search</CODE>. </P> <P>A <CODE>tag</CODE> is a not-necessarily-unique "nametag" given to a specific, definitive (wildcardless) Key-value-pairing. It is very much like an <CODE>eventtype</CODE> but it has the following differences:</P> <P>An instance of an <CODE>eventtype</CODE> name is defined by a single directive inside a single <CODE>eventtypes.conf</CODE> file but an instance of a <CODE>tag</CODE> name can be defined in an infinite number of separate <CODE>tags.conf</CODE> files.</P> <P>An <CODE>eventtype</CODE> definition can use wildcards and have any number of pre-pipe specifications (conjunctions) but a <CODE>tag</CODE> definition always contains a single<CODE>key=value</CODE> pairing.</P> <P>There is an extremely high degree of use-case overlap between the 2 constructs. For example, if you would like to identify all lab servers you could create a single <CODE>eventtype</CODE> like this:</P> <PRE><CODE>[LAB_EVENTS] search = host=LAB* OR host=xyz OR host=PDQ </CODE></PRE> <P>Then you search like this:</P> <PRE><CODE>eventtype=LAB_EVENTS </CODE></PRE> <P>Or you could use several <CODE>tags</CODE> like this:</P> <PRE><CODE>[host=LAB1] lab=enabled [host=LAB2] lab=enabled [host=LAB3] lab=enabled [host=xyz] lab=enabled [host=PDQ] lab=enabled </CODE></PRE> <P>Then you search like this:</P> <PRE><CODE>tag="lab" </CODE></PRE> Wed, 27 May 2015 03:16:44 GMT https://community.splunk.com/t5/Knowledge-Management/What-are-the-definitions-of-Tag-and-Eventtype-and-what-are-the/m-p/123100#M1238 woodcock 2015-05-27T03:16:44Z https://community.splunk.com/t5/Knowledge-Management/What-are-the-definitions-of-Tag-and-Eventtype-and-what-are-the/m-p/123101#M1239 <P>Is there a big difference regarding the performance between eventypes and tags?</P> Wed, 27 May 2015 08:32:11 GMT https://community.splunk.com/t5/Knowledge-Management/What-are-the-definitions-of-Tag-and-Eventtype-and-what-are-the/m-p/123101#M1239 HeinzWaescher 2015-05-27T08:32:11Z https://community.splunk.com/t5/Knowledge-Management/What-are-the-definitions-of-Tag-and-Eventtype-and-what-are-the/m-p/123102#M1240 <P>Check out the <CODE>Knowledge Object Explorer app</CODE>. With a small number, there is no difference but the more apps and configurations you add, there can be HUGE performance differences between the two.<BR /> <A href="https://splunkbase.splunk.com/app/2871/">https://splunkbase.splunk.com/app/2871/</A></P> Mon, 27 Feb 2017 15:03:58 GMT https://community.splunk.com/t5/Knowledge-Management/What-are-the-definitions-of-Tag-and-Eventtype-and-what-are-the/m-p/123102#M1240 woodcock 2017-02-27T15:03:58Z https://community.splunk.com/t5/Knowledge-Management/What-are-the-definitions-of-Tag-and-Eventtype-and-what-are-the/m-p/123103#M1241 <P>Great explanation woodcock, could you give sample results based on those event types and tags?</P> <P>Thanks.</P> Mon, 12 Feb 2018 15:56:59 GMT https://community.splunk.com/t5/Knowledge-Management/What-are-the-definitions-of-Tag-and-Eventtype-and-what-are-the/m-p/123103#M1241 splunkreal 2018-02-12T15:56:59Z https://community.splunk.com/t5/Knowledge-Management/What-are-the-definitions-of-Tag-and-Eventtype-and-what-are-the/m-p/123104#M1242 <P>@realsplunk, please keep in mind that <CODE>Event types</CODE> are intended for data classification whereas <CODE>Tags</CODE> are for data normalization - so, from design perspective, they are very different. </P> Mon, 12 Feb 2018 16:05:54 GMT https://community.splunk.com/t5/Knowledge-Management/What-are-the-definitions-of-Tag-and-Eventtype-and-what-are-the/m-p/123104#M1242 ddrillic 2018-02-12T16:05:54Z https://community.splunk.com/t5/Knowledge-Management/What-are-the-definitions-of-Tag-and-Eventtype-and-what-are-the/m-p/123105#M1243 <P>can you tell me when i will use tags and when used eventtypes</P> Thu, 07 Mar 2019 13:51:57 GMT https://community.splunk.com/t5/Knowledge-Management/What-are-the-definitions-of-Tag-and-Eventtype-and-what-are-the/m-p/123105#M1243 arihant16cse 2019-03-07T13:51:57Z https://community.splunk.com/t5/Knowledge-Management/What-are-the-definitions-of-Tag-and-Eventtype-and-what-are-the/m-p/123106#M1244 <P>Use <CODE>tags</CODE> when you don't need wildcards. Use <CODE>eventtypes</CODE> when you do need wildcards<CODE>. Always prefer</CODE>tags`.</P> Fri, 20 Mar 2020 15:47:36 GMT https://community.splunk.com/t5/Knowledge-Management/What-are-the-definitions-of-Tag-and-Eventtype-and-what-are-the/m-p/123106#M1244 woodcock 2020-03-20T15:47:36Z https://community.splunk.com/t5/Knowledge-Management/What-are-the-definitions-of-Tag-and-Eventtype-and-what-are-the/m-p/123107#M1245 <P>Look at how the <CODE>Common Information Model</CODE> app uses each:<BR /> <A href="https://docs.splunk.com/Documentation/CIM/latest/User/Overview">https://docs.splunk.com/Documentation/CIM/latest/User/Overview</A></P> Fri, 20 Mar 2020 15:48:37 GMT https://community.splunk.com/t5/Knowledge-Management/What-are-the-definitions-of-Tag-and-Eventtype-and-what-are-the/m-p/123107#M1245 woodcock 2020-03-20T15:48:37Z https://community.splunk.com/t5/Knowledge-Management/What-are-the-definitions-of-Tag-and-Eventtype-and-what-are-the/m-p/123108#M1246 <P>I disagree. I use <CODE>tags</CODE> for <CODE>classification</CODE> all the time; for example a host can be either <CODE>production</CODE> or <CODE>development</CODE>.</P> Fri, 20 Mar 2020 15:49:40 GMT https://community.splunk.com/t5/Knowledge-Management/What-are-the-definitions-of-Tag-and-Eventtype-and-what-are-the/m-p/123108#M1246 woodcock 2020-03-20T15:49:40Z https://community.splunk.com/t5/Knowledge-Management/What-are-the-definitions-of-Tag-and-Eventtype-and-what-are-the/m-p/529486#M4814 <P>Nice examples, Woodcock!!!&nbsp; Eventtype is quite easy to understand but tag with enabled/disabled &lt;field&gt;&lt;value&gt; is not always clear to a lot of people.&nbsp; &nbsp;</P><P>On, the other hand, the whole eventtype can also be tagged in tags.conf like the following</P><P>[eventtype=LAB_EVENTS]<BR />lab = enabled</P> Mon, 16 Nov 2020 03:00:34 GMT https://community.splunk.com/t5/Knowledge-Management/What-are-the-definitions-of-Tag-and-Eventtype-and-what-are-the/m-p/529486#M4814 anwarmian 2020-11-16T03:00:34Z