Ah. Entering more than one field-value pair will make that entry useless. For example, entering "host=a host=b" for tag "foo" will create a stanza in tags.conf like this:

[host=a%20host%3Db]
foo = enabled

In other words, it's looking for a host called "a host=b" - that's a valid field value (maybe not for host though), but probably not what you want.

I am talking about the text field located at the Web interface-Settings-Tags-List by tag name-New-Field Value pair I agree that "sed'ing that list into a list of tags.conf stanzas" is the most approach to Tag creation.

Yeah, boolean operators are all upper caps - else you're looking for the word "not".

What "field-value box" are you talking about? It's best to post the tags.conf stanzas in question, then we are all talking about the same thing.

I learned through trying both eventtype and tags in this context that it is vital that the "not" be all uppercase with parenthesis around the terms: NOT (eventtype=event1) NOT (tag=tag1)
Issue: A tag field-value combination with an * did not remove a matching domain when the NOT operator was used on it. Thus my confidence in tags has dropped. I am still curious whether multiple field value search terms within a single tag field-value box breaks the tag or not. Are those boxes just to allow for search term separation, searching, and association manipulation of tags field-value combinations?

For batch-adding a large number of tags from a precompiled list you're better off sed'ing that list into a list of tags.conf stanzas and adding that to the config file manually. Through the UI you're going to be busy for a long time adding hundreds or thousands of tags.

Perhaps you meant that tags are not well suited for large lists because you have to add each field-value pair individually, one at a time, whereas eventtypes allow for a large list to be pasted into the definition box all at once. I have just saved many pairs successfully into a single field-value pair box. Will that work properly or must each pair be placed in its own box?

As a result, editing single values does not require touching the entire list but rather an individual stanza.

As an additional bonus, the regular Splunk Search UI allows you to graphically add new values to an existing tag.

Looking at the search inspector for a search with tags in it you can see that this:

eventSearch:    search index=_internal tag=foo

Gets translated into this (I've tagged two sourcetypes with foo):

normalizedSearch:   litsearch index=_internal ( sourcetype=splunk_web_service OR sourcetype=splunkd_access )

That's very similar to the translation for eventtypes.

From a searching / performance POV, tags and eventtypes behave very similarly. Both get translated into their long-form SPL representation, and both support operators such as NOT.

The difference I see is in maintaining that list of IPs. With an eventtype you have one eventtype that contains a very long list of src_ip=foo OR ... entries, so to for example remove an entry you need to manually edit a large string.
On the other hand, tags are stored as individual values under a common name like this:

[src_ip=8.8.8.8]
google_dns=enabled

[src_ip=8.4.4.4]
google_dns=enabled

For the record in support of this question/thread, the linked page on tags gives the following example use of tags grouping the same IP addresses by different criteria: tag=router tag=SF NOT (tag=Building1)

I really like the idea of tags but I can't see the difference between them and eventtypes. Why are large lists better done with tags than with eventtypes? Is it because a large list in an eventtype pushes down all the other eventtypes to make it hard to find the eventtype of interest in the eventtype manager page?

well put.

/k