An eventtype
is a search that runs when you specify eventtype=MyEventType
; you can think of it like a "pipeless, parameterless macro
" or even like a saved search
.
A tag
is a not-necessarily-unique "nametag" given to a specific, definitive (wildcardless) Key-value-pairing. It is very much like an eventtype
but it has the following differences:
An instance of an eventtype
name is defined by a single directive inside a single eventtypes.conf
file but an instance of a tag
name can be defined in an infinite number of separate tags.conf
files.
An eventtype
definition can use wildcards and have any number of pre-pipe specifications (conjunctions) but a tag
definition always contains a singlekey=value
pairing.
There is an extremely high degree of use-case overlap between the 2 constructs. For example, if you would like to identify all lab servers you could create a single eventtype
like this:
[LAB_EVENTS]
search = host=LAB* OR host=xyz OR host=PDQ
Then you search like this:
eventtype=LAB_EVENTS
Or you could use several tags
like this:
[host=LAB1]
lab=enabled
[host=LAB2]
lab=enabled
[host=LAB3]
lab=enabled
[host=xyz]
lab=enabled
[host=PDQ]
lab=enabled
Then you search like this:
tag="lab"
An eventtype
is a search that runs when you specify eventtype=MyEventType
; you can think of it like a "pipeless, parameterless macro
" or even like a saved search
.
A tag
is a not-necessarily-unique "nametag" given to a specific, definitive (wildcardless) Key-value-pairing. It is very much like an eventtype
but it has the following differences:
An instance of an eventtype
name is defined by a single directive inside a single eventtypes.conf
file but an instance of a tag
name can be defined in an infinite number of separate tags.conf
files.
An eventtype
definition can use wildcards and have any number of pre-pipe specifications (conjunctions) but a tag
definition always contains a singlekey=value
pairing.
There is an extremely high degree of use-case overlap between the 2 constructs. For example, if you would like to identify all lab servers you could create a single eventtype
like this:
[LAB_EVENTS]
search = host=LAB* OR host=xyz OR host=PDQ
Then you search like this:
eventtype=LAB_EVENTS
Or you could use several tags
like this:
[host=LAB1]
lab=enabled
[host=LAB2]
lab=enabled
[host=LAB3]
lab=enabled
[host=xyz]
lab=enabled
[host=PDQ]
lab=enabled
Then you search like this:
tag="lab"
Nice examples, Woodcock!!! Eventtype is quite easy to understand but tag with enabled/disabled <field><value> is not always clear to a lot of people.
On, the other hand, the whole eventtype can also be tagged in tags.conf like the following
[eventtype=LAB_EVENTS]
lab = enabled
Great explanation woodcock, could you give sample results based on those event types and tags?
Thanks.
Look at how the Common Information Model
app uses each:
https://docs.splunk.com/Documentation/CIM/latest/User/Overview
@realsplunk, please keep in mind that Event types
are intended for data classification whereas Tags
are for data normalization - so, from design perspective, they are very different.
I disagree. I use tags
for classification
all the time; for example a host can be either production
or development
.
Is there a big difference regarding the performance between eventypes and tags?
can you tell me when i will use tags and when used eventtypes
Use tags
when you don't need wildcards. Use eventtypes
when you do need wildcards. Always prefer
tags`.
Check out the Knowledge Object Explorer app
. With a small number, there is no difference but the more apps and configurations you add, there can be HUGE performance differences between the two.
https://splunkbase.splunk.com/app/2871/