Splunk allows us to have a tag and an event type with the same name, so what exactly is the difference between an event type and a tag name?
We have defined “TransactionsAndroid” as an event type:
Event type: TransactionsAndroid
Search string: uri="/ftgw/fbc/*" Apache-HttpClient/Fidelity-Android/
tag: TransactionsAndroid
And as the following 2 Tags (which both have the same name):
Tag name: TransactionsAndroid
Field value pair: eventtype=TransactionsAndroid
and:
Tag name: TransactionsAndroid
Field value pair: uri="/ftgw/fbc/*" Apache-HttpClient/Fidelity-Android/
Why does Splunk let us have 2 definitions for a tag name?
Which tag definition should we use?
In a search, what is the difference between the following?
tag=TransactionsAndroid
tag::eventtype=TransactionsAndroid
eventtype=TransactionsAndroid
(see http://docs.splunk.com/Documentation/Splunk/4.3.5/Knowledge/Tageventtypes)
In our queries, should we refer to the tag or the event type?
Eventtypes and tags are a data abstraction layer that help you "normalize" data in Splunk.
Consider that some errors are more critical than others. Maybe you've got a debug message in the log that's flagged as an error when really it's not. For the "more critical" error, you might create an eventtype specific to that, like "server_E_ONFIRE". Start with a generic "error" eventtype. The tag here is "error = enabled". Now for the "server_E_ONFIRE" event, the more specific eventtype can then define more specific tags. Try "critical = enabled". Now, that event will have both eventtypes, and tags of "critical" and "error". For the debug "success error", set "error = disabled" to clear that tag.
Now you can search for "tag = critical" that will find the server_E_ONFIRE, but also any other messages you've tagged as critical. If you search just for "eventtype=server_E_ONFIRE", then you'll only find those. But if you search for "tag=error", then you won't get that debug message.