Any recommended best practices for managing eventtypes and their corresponding tags?
I've found the Splunk Common Information Model to be fairly helpful in starting a taxonomy.
I've also been using the following search to review events and their tags
* | dedup eventtype | fields eventtype, tag::eventtype
Any other recommendations, best practices, thoughts?
Why not just use the event types admin page?
(adjust the base URL for your Splunk install, of course).
View solution in original post
I forgot all about this. I was thinking along the lines of a report of some sort (maybe similar to eventtyper), but this will help.