I am sure there are plenty of experienced splunker's who will chuckle at days of grappling with getting these two knowledge objects distinguished in their brain, but at this point I am still having a difficult time, even after reading several posts, blogs etc.
So my playing around came up with this concept and am wanting to validate that this is a safe way to start understanding them and as time and experience grows in Splunk the differentiation will become more clear.
It seems like a tag can be field1=value1 field1=value2.... field1=value_n. A field can have one or more values, but the big point is it is only a single field. On the other had an event type can be field1=value1 field1=value2 field2=value4. In other words an event type can have one or more field/value pairs with each field being paired with one or more values.
If you are using the test data available, a tag can be pain categoryId=strategy, categoryId=shooter. but an event type can be criminal categoryId=strategy categoryId=shooter action=purchase.
Thanks for any comments in advance.
... View more