Knowledge Management

Eventtype best practices?

Path Finder

the splunk CIM discusses the use of tags to help identify log entries according to an object/action/status formula - which is nice. however, are there any recommendations on how to identify a taxonomy for the eventtypes themselves so that the tags make sense?

what is the best way of classifying eventtypes into something useful - does what i have done in the following example make sense...?

i have a bunch of firewall log messages, so i create an eventtype called network_acl that matches all relevant log entries; then i create another eventtype called network_acl.denied which literally matches 'eventtype=network_acl AND denied'.

for the network_acl eventtype, i add tags 'acl application, firewall, host, network' for the network_acl.denied eventtype, i add tags 'access, attempt, denied'

this method seems to work well so far; adding field extraction to pick out ip's etc seems to allow me to get most questions i have, but i have a nagging feeling i'm approaching this the wrong way.

i am also concerned that the network_acl.denied dependence on the 'parent's' eventtype is not the most efficient way of querying for it.

1 Solution

Splunk Employee
Splunk Employee

eventtypes are fully expanded at search parsing time, so you need not be worried that having dependence on the parent's eventtype is inefficient. It is the same as if you fully expanded the search yourself.

As for your general approach, I think it's fine. We don't have any particular guidelines on how you should define a taxonomy for tags or eventtypes. Splunk has a flat namespace so it's up to you to decide a naming convention hierarchy that works well for your data.

View solution in original post

Splunk Employee
Splunk Employee

eventtypes are fully expanded at search parsing time, so you need not be worried that having dependence on the parent's eventtype is inefficient. It is the same as if you fully expanded the search yourself.

As for your general approach, I think it's fine. We don't have any particular guidelines on how you should define a taxonomy for tags or eventtypes. Splunk has a flat namespace so it's up to you to decide a naming convention hierarchy that works well for your data.

View solution in original post

Path Finder

thanks 🙂 at least i'm not doing things incorrectly 😉

so i have a quandary with this setup; because of my imposed 'hierarchy', i cannot generate reports such as 'show me top eventtypes' without double counting; eg one log event may have 2 or more eventtypes associated with it (ie it's both network_acl and network_acl.denied). i tried running a 'eventtype=network_acl NOT eventtype=network_acl.denied'; but of course the latter argument takes precedence and so the result would just exclude most log messages. any idea how i can generate this 'higher level' report on the the hierarchy?

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!