Is it possible to put spaces in tags of event types ?
For example, I have an Eventtype for this log "[2011-04-22 22:28:17] INFO- (MessagingMain.java:161) GWMT0002I - BATCH PROCESS [JNP02S328] ENDED WITH STATUS: 1 => FAILED --> com.tdi.gw.system.MessagingMain - main". I use a eventtype and a tag to build "understandable" report with tags and not the full stacktrace. I want "Batch Failed" as tag for this eventtype but when you put a space, it is like you write 2 tags. Currently, I use "BatchFailed" but if it is possible i prefer "Batch Failed".
Maybe I'm missing something here but, not sure I see the problem. Give your event two tags.
Then just search on both:
Batch AND Failed
With two tags you could also perform searches like:
Batch (assuming you have non-batch events)
batch AND Success (assuming there are events tagged with Success)
batch AND NOT Failed
Although ugly, you could combined the words failedbatch or batchfailed.
I use tags mainly for simplify reports. I have 200 distinct errors to monitore and each error has an eventtype and tag. Many errors have the same tag to group them.
My problem is more an aesthitic problem than functionnal problem 🙂
Spaces are not allowed. I would recommend using a separator like dash or underscore. Per Splunk's CIM you may want to consider the use of two tags. The combination of these tags would eliminate the flexibility to search on these tags independent of each other.
See also: Common Information Model