Splunk allows us to have a tag and an event type with the same name, so what exactly is the difference between an event type and a tag name?
We have defined “TransactionsAndroid” as an event type:
Event type: TransactionsAndroid
Search string: uri="/ftgw/fbc/*" Apache-HttpClient/Fidelity-Android/
tag: TransactionsAndroid
And as the following 2 Tags (which both have the same name):
Tag name: TransactionsAndroid
Field value pair: eventtype=TransactionsAndroid
and:
Tag name: TransactionsAndroid
Field value pair: uri="/ftgw/fbc/*" Apache-HttpClient/Fidelity-Android/
Why does Splunk let us have 2 definitions for a tag name?
Which tag definition should we use?
In a search, what is the difference between the following?
tag=TransactionsAndroid
tag::eventtype=TransactionsAndroid
eventtype=TransactionsAndroid
(see http://docs.splunk.com/Documentation/Splunk/4.3.5/Knowledge/Tageventtypes)
In our queries, should we refer to the tag or the event type?
... View more