Eventtypes and tags are a data abstraction layer that help you "normalize" data in Splunk.
Consider that some errors are more critical than others. Maybe you've got a debug message in the log that's flagged as an error when really it's not. For the "more critical" error, you might create an eventtype specific to that, like "server_E_ONFIRE". Start with a generic "error" eventtype. The tag here is "error = enabled". Now for the "server_E_ONFIRE" event, the more specific eventtype can then define more specific tags. Try "critical = enabled". Now, that event will have both eventtypes, and tags of "critical" and "error". For the debug "success error", set "error = disabled" to clear that tag.
Now you can search for "tag = critical" that will find the server_E_ONFIRE, but also any other messages you've tagged as critical. If you search just for "eventtype=server_E_ONFIRE", then you'll only find those. But if you search for "tag=error", then you won't get that debug message.