Knowledge Management
Highlighted

what is the basic difference between tags and event types

Explorer

same kind of output generates while using either "Tags" or "Event types".
So what is the exact purpose of this two? When should we use what? What is their basic difference?

Highlighted

Re: what is the basic difference between tags and event types

Builder
Highlighted

Re: what is the basic difference between tags and event types

Explorer

An eventtype is a search that runs when you specify eventtype=MyEventType; you can think of it like a "pipeless, parameterless macro" or even like a saved search.

A tag is a not-necessarily-unique "nametag" given to a specific, definitive (wildcardless) Key-value-pairing. It is very much like an eventtype but it has the following differences:

An instance of an eventtype name is defined by a single directive inside a single eventtypes.conf file but an instance of a tag name can be defined in an infinite number of separate tags.conf files.

An eventtype definition can use wildcards and have any number of pre-pipe specifications (conjunctions) but a tag definition always contains a singlekey=value pairing.

Highlighted

Re: what is the basic difference between tags and event types

Splunk Employee
Splunk Employee

For typical usecases, I'd describe eventtypes as search language filters, or search language matchers.

They can be used to constrain a search, or just to derive labelling for unconstrained searches.

0 Karma
Highlighted

Re: what is the basic difference between tags and event types

Splunk Employee
Splunk Employee

For the "when to use" question, I think this is really a workflow thing.

Tags allow people to identify key-value pairs (aka fieldname fieldvalue pairs) that categorize items. This can be done incrementally and collectively. For example, if you notice a host should be tagged as a webserver and it is not, you can add it at the time that you are viewing it. If the tags are shared (not private), this means that some grouping of people can be collaboratively creating these groupings, building shared knowledge.

Eventtypes allow people to create labels based on search expressions. This means you have one definition of what that label that is centrally managed in a single configuration. In cases where that search expression will cover the entire category now and in the future, it can be simpler and more managable, but if if the category definition is an arbitrary list of values, it would be a poor workflow fit for maintenance reasons.

There are probably other differentiators in the messy details, but I think this is the main distinction.