Splunk Search

What is the difference between an event type and a tag?

Sampler
New Member

I am sure there are plenty of experienced splunker's who will chuckle at days of grappling with getting these two knowledge objects distinguished in their brain, but at this point I am still having a difficult time, even after reading several posts, blogs etc.   

So my playing around came up with this concept and am wanting to validate that this is a safe way to start understanding them and as time and experience grows in Splunk the differentiation will become more clear.

It seems like a tag can be field1=value1 field1=value2.... field1=value_n.  A field can have one or more values, but the big point is it is only a single field.   On the other had an event type  can be field1=value1 field1=value2 field2=value4.   In other words an event type can have one or more field/value pairs with each field being paired with one or more values.  

If you are using the test data available, a tag can be  pain categoryId=strategy, categoryId=shooter.  but an event type can be criminal categoryId=strategy categoryId=shooter action=purchase.

Thanks for any comments in advance.

Labels (1)
Tags (2)
0 Karma

thambisetty
SplunkTrust
SplunkTrust

In simple words:

event types are more related to your data/events. 

for example: there could be many types of events in your single source type, windows failed authentications, windows successful authentications. There could be another source which will also give same types of events but different format like application authentication failed logs and application successful logs.

you can create 4 event types to easily understand context of your data.

event types are created to give context of your data.

tags are more related to event types.

for example: you can call all those 4 event types authentication logs. tags are not specific to single source events/data.

tags are created to give context of your event types.

hope this will make sense 🙂

 

————————————
If this helps, give a like below.
0 Karma

isoutamo
SplunkTrust
SplunkTrust
Hi
That’s true. Tag is always bind to value of single field. Eventtype is targeted to combination of values of several fields e.g. index, source, sourcetype and your own fields and you could have several values of those. Somehow you could think that eventtype and macro can used same way.
r. Ismo
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...