Any recommended best practices for managing eventtypes and their corresponding tags?
I've found the Splunk Common Information Model to be fairly helpful in starting a taxonomy.
I've also been using the following search to review events and their tags
* | dedup eventtype | fields eventtype, tag::eventtype
Any other recommendations, best practices, thoughts?
Why not just use the event types admin page?
http://localhost:8000/en-US/manager/search/saved/eventtypes
(adjust the base URL for your Splunk install, of course).
Why not just use the event types admin page?
http://localhost:8000/en-US/manager/search/saved/eventtypes
(adjust the base URL for your Splunk install, of course).
Thanks gkanapathy!
I forgot all about this. I was thinking along the lines of a report of some sort (maybe similar to eventtyper), but this will help.