Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Eventtype best practices?

ytl
Path Finder
‎04-04-2011 11:30 PM

the splunk CIM discusses the use of tags to help identify log entries according to an object/action/status formula - which is nice. however, are there any recommendations on how to identify a taxonomy for the eventtypes themselves so that the tags make sense?

what is the best way of classifying eventtypes into something useful - does what i have done in the following example make sense...?

i have a bunch of firewall log messages, so i create an eventtype called network_acl that matches all relevant log entries; then i create another eventtype called network_acl.denied which literally matches 'eventtype=network_acl AND denied'.

for the network_acl eventtype, i add tags 'acl application, firewall, host, network' for the network_acl.denied eventtype, i add tags 'access, attempt, denied'

this method seems to work well so far; adding field extraction to pick out ip's etc seems to allow me to get most questions i have, but i have a nagging feeling i'm approaching this the wrong way.

i am also concerned that the network_acl.denied dependence on the 'parent's' eventtype is not the most efficient way of querying for it.

Reply
1 Solution
Solved! Jump to solution
Solution

steveyz
Splunk Employee
Splunk Employee
‎04-05-2011 07:16 PM

eventtypes are fully expanded at search parsing time, so you need not be worried that having dependence on the parent's eventtype is inefficient. It is the same as if you fully expanded the search yourself.

As for your general approach, I think it's fine. We don't have any particular guidelines on how you should define a taxonomy for tags or eventtypes. Splunk has a flat namespace so it's up to you to decide a naming convention hierarchy that works well for your data.

View solution in original post

Reply
Solved! Jump to solution
Solution

steveyz
Splunk Employee
Splunk Employee
‎04-05-2011 07:16 PM

eventtypes are fully expanded at search parsing time, so you need not be worried that having dependence on the parent's eventtype is inefficient. It is the same as if you fully expanded the search yourself.

As for your general approach, I think it's fine. We don't have any particular guidelines on how you should define a taxonomy for tags or eventtypes. Splunk has a flat namespace so it's up to you to decide a naming convention hierarchy that works well for your data.

Reply
Solved! Jump to solution

ytl
Path Finder
‎04-06-2011 06:14 PM

thanks 🙂 at least i'm not doing things incorrectly 😉

so i have a quandary with this setup; because of my imposed 'hierarchy', i cannot generate reports such as 'show me top eventtypes' without double counting; eg one log event may have 2 or more eventtypes associated with it (ie it's both network_acl and network_acl.denied). i tried running a 'eventtype=network_acl NOT eventtype=network_acl.denied'; but of course the latter argument takes precedence and so the result would just exclude most log messages. any idea how i can generate this 'higher level' report on the the hierarchy?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...