Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Event types versus Tags

blodgettb
Engager
‎08-01-2013 07:31 AM

Splunk allows us to have a tag and an event type with the same name, so what exactly is the difference between an event type and a tag name?

We have defined “TransactionsAndroid” as an event type:

  • Event type: TransactionsAndroid

  • Search string: uri="/ftgw/fbc/*" Apache-HttpClient/Fidelity-Android/

  • tag: TransactionsAndroid

And as the following 2 Tags (which both have the same name):

  • Tag name: TransactionsAndroid

  • Field value pair: eventtype=TransactionsAndroid

and:

  • Tag name: TransactionsAndroid

  • Field value pair: uri="/ftgw/fbc/*" Apache-HttpClient/Fidelity-Android/

Why does Splunk let us have 2 definitions for a tag name?

Which tag definition should we use?

In a search, what is the difference between the following?

  1. tag=TransactionsAndroid

  2. tag::eventtype=TransactionsAndroid

  3. eventtype=TransactionsAndroid

(see http://docs.splunk.com/Documentation/Splunk/4.3.5/Knowledge/Tageventtypes)

In our queries, should we refer to the tag or the event type?

Reply

sowings
Splunk Employee
Splunk Employee
‎08-01-2013 07:56 AM

Eventtypes and tags are a data abstraction layer that help you "normalize" data in Splunk.

Consider that some errors are more critical than others. Maybe you've got a debug message in the log that's flagged as an error when really it's not. For the "more critical" error, you might create an eventtype specific to that, like "server_E_ONFIRE". Start with a generic "error" eventtype. The tag here is "error = enabled". Now for the "server_E_ONFIRE" event, the more specific eventtype can then define more specific tags. Try "critical = enabled". Now, that event will have both eventtypes, and tags of "critical" and "error". For the debug "success error", set "error = disabled" to clear that tag.

Now you can search for "tag = critical" that will find the server_E_ONFIRE, but also any other messages you've tagged as critical. If you search just for "eventtype=server_E_ONFIRE", then you'll only find those. But if you search for "tag=error", then you won't get that debug message.

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...