Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Event types versus Tags

blodgettb
Engager
‎08-01-2013 07:31 AM

Splunk allows us to have a tag and an event type with the same name, so what exactly is the difference between an event type and a tag name?

We have defined “TransactionsAndroid” as an event type:

  • Event type: TransactionsAndroid

  • Search string: uri="/ftgw/fbc/*" Apache-HttpClient/Fidelity-Android/

  • tag: TransactionsAndroid

And as the following 2 Tags (which both have the same name):

  • Tag name: TransactionsAndroid

  • Field value pair: eventtype=TransactionsAndroid

and:

  • Tag name: TransactionsAndroid

  • Field value pair: uri="/ftgw/fbc/*" Apache-HttpClient/Fidelity-Android/

Why does Splunk let us have 2 definitions for a tag name?

Which tag definition should we use?

In a search, what is the difference between the following?

  1. tag=TransactionsAndroid

  2. tag::eventtype=TransactionsAndroid

  3. eventtype=TransactionsAndroid

(see http://docs.splunk.com/Documentation/Splunk/4.3.5/Knowledge/Tageventtypes)

In our queries, should we refer to the tag or the event type?

Reply

sowings
Splunk Employee
Splunk Employee
‎08-01-2013 07:56 AM

Eventtypes and tags are a data abstraction layer that help you "normalize" data in Splunk.

Consider that some errors are more critical than others. Maybe you've got a debug message in the log that's flagged as an error when really it's not. For the "more critical" error, you might create an eventtype specific to that, like "server_E_ONFIRE". Start with a generic "error" eventtype. The tag here is "error = enabled". Now for the "server_E_ONFIRE" event, the more specific eventtype can then define more specific tags. Try "critical = enabled". Now, that event will have both eventtypes, and tags of "critical" and "error". For the debug "success error", set "error = disabled" to clear that tag.

Now you can search for "tag = critical" that will find the server_E_ONFIRE, but also any other messages you've tagged as critical. If you search just for "eventtype=server_E_ONFIRE", then you'll only find those. But if you search for "tag=error", then you won't get that debug message.

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...