Any recommended best practices for managing eventtypes and their corresponding tags?
I've found the Splunk Common Information Model to be fairly helpful in starting a taxonomy.
I've also been using the following search to review events and their tags
* | dedup eventtype | fields eventtype, tag::eventtype
Any other recommendations, best practices, thoughts?