Knowledge Management

Event types versus Tags

blodgettb
Engager

Splunk allows us to have a tag and an event type with the same name, so what exactly is the difference between an event type and a tag name?

We have defined “TransactionsAndroid” as an event type:

  • Event type: TransactionsAndroid

  • Search string: uri="/ftgw/fbc/*" Apache-HttpClient/Fidelity-Android/

  • tag: TransactionsAndroid

And as the following 2 Tags (which both have the same name):

  • Tag name: TransactionsAndroid

  • Field value pair: eventtype=TransactionsAndroid

and:

  • Tag name: TransactionsAndroid

  • Field value pair: uri="/ftgw/fbc/*" Apache-HttpClient/Fidelity-Android/

Why does Splunk let us have 2 definitions for a tag name?

Which tag definition should we use?

In a search, what is the difference between the following?

  1. tag=TransactionsAndroid

  2. tag::eventtype=TransactionsAndroid

  3. eventtype=TransactionsAndroid

(see http://docs.splunk.com/Documentation/Splunk/4.3.5/Knowledge/Tageventtypes)

In our queries, should we refer to the tag or the event type?

sowings
Splunk Employee
Splunk Employee

Eventtypes and tags are a data abstraction layer that help you "normalize" data in Splunk.

Consider that some errors are more critical than others. Maybe you've got a debug message in the log that's flagged as an error when really it's not. For the "more critical" error, you might create an eventtype specific to that, like "server_E_ONFIRE". Start with a generic "error" eventtype. The tag here is "error = enabled". Now for the "server_E_ONFIRE" event, the more specific eventtype can then define more specific tags. Try "critical = enabled". Now, that event will have both eventtypes, and tags of "critical" and "error". For the debug "success error", set "error = disabled" to clear that tag.

Now you can search for "tag = critical" that will find the server_E_ONFIRE, but also any other messages you've tagged as critical. If you search just for "eventtype=server_E_ONFIRE", then you'll only find those. But if you search for "tag=error", then you won't get that debug message.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...