Knowledge Management

Event types versus Tags


Splunk allows us to have a tag and an event type with the same name, so what exactly is the difference between an event type and a tag name?

We have defined “TransactionsAndroid” as an event type:

  • Event type: TransactionsAndroid

  • Search string: uri="/ftgw/fbc/*" Apache-HttpClient/Fidelity-Android/

  • tag: TransactionsAndroid

And as the following 2 Tags (which both have the same name):

  • Tag name: TransactionsAndroid

  • Field value pair: eventtype=TransactionsAndroid


  • Tag name: TransactionsAndroid

  • Field value pair: uri="/ftgw/fbc/*" Apache-HttpClient/Fidelity-Android/

Why does Splunk let us have 2 definitions for a tag name?

Which tag definition should we use?

In a search, what is the difference between the following?

  1. tag=TransactionsAndroid

  2. tag::eventtype=TransactionsAndroid

  3. eventtype=TransactionsAndroid


In our queries, should we refer to the tag or the event type?

Splunk Employee
Splunk Employee

Eventtypes and tags are a data abstraction layer that help you "normalize" data in Splunk.

Consider that some errors are more critical than others. Maybe you've got a debug message in the log that's flagged as an error when really it's not. For the "more critical" error, you might create an eventtype specific to that, like "server_E_ONFIRE". Start with a generic "error" eventtype. The tag here is "error = enabled". Now for the "server_E_ONFIRE" event, the more specific eventtype can then define more specific tags. Try "critical = enabled". Now, that event will have both eventtypes, and tags of "critical" and "error". For the debug "success error", set "error = disabled" to clear that tag.

Now you can search for "tag = critical" that will find the server_E_ONFIRE, but also any other messages you've tagged as critical. If you search just for "eventtype=server_E_ONFIRE", then you'll only find those. But if you search for "tag=error", then you won't get that debug message.

*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!


Or Learn More in Our Blog >>