Splunk Search

Event Type vs Tags for multiple events

deadbits
Explorer

I am looking to create a way to track multiple types of events across different sources. For example, where 'web' is a parent and things like 'attack', 'browser', 'misc', etc could be children. The children might also have children.

Multiple events might cross between different parents and so on. I am a little confused on where to even begin with it.

A quick example of the type of nested tagging I am looking to do is below. Ideally I'd like to be able to search these tagged events using: tag::web, tag::web::attack, tag::web::attack::sqli, etc.

Should I be using eventtypes or tags for this type of tracking?

If so, what's the best way to build the tags or eventtypes for multiple 'nested' events like this?

Thanks in advance!

  • web
    • attack
      • sqli
      • xss
      • csrf
    • misc
      • info_disclosure
      • sensitive_data
      • spider
1 Solution

Ayn
Legend

The way tags work (not just in Splunk, but in general) is that they're not divided into hierarchies - rather you create a hierarchy in some sense if you want. Tagging is done on strictly based on fields, so because fields are not structured in any hierarchical way, nor is tagging. Depending on your exact use-case I'm not sure there's a strict need for "sqli" to actually be a strict subset of "attack" which in turn is a subset of "web". Why not just create an eventtype for sqli, then tag it with tag::eventtype="web", tag::eventtype="attack" and tag::eventtype="sqli"? And so on for the rest of the classifications. You'd still be able to determine which categories the respective events belong to, as long as you make sure to document the available categories and how they relate to each other.

View solution in original post

Ayn
Legend

The way tags work (not just in Splunk, but in general) is that they're not divided into hierarchies - rather you create a hierarchy in some sense if you want. Tagging is done on strictly based on fields, so because fields are not structured in any hierarchical way, nor is tagging. Depending on your exact use-case I'm not sure there's a strict need for "sqli" to actually be a strict subset of "attack" which in turn is a subset of "web". Why not just create an eventtype for sqli, then tag it with tag::eventtype="web", tag::eventtype="attack" and tag::eventtype="sqli"? And so on for the rest of the classifications. You'd still be able to determine which categories the respective events belong to, as long as you make sure to document the available categories and how they relate to each other.

View solution in original post

deadbits
Explorer

Just for reference sake, I ended up creating various eventtypes which have tag's associated. Some eventtypes have multiple tags, some of the eventtypes share tags obviously. This way the tag=web contains multiple searches as eventtypes and events can be tagged as you go if they need to be classified down the road.

0 Karma

rashid47010
Communicator

hi
I have two network appliances(paloalto and McAfee IPS) both have common tag=network. Now I want to see the events from both devices(index) through tag.
how can I see.. ?

0 Karma

deadbits
Explorer

That makes sense. You are probably right in that the hierarchy wouldn't make much sense here.
I did some early testing last week and pretty much used your idea. It actually makes it a lot easier to filter the events using multiple tags (e.g. tag=ids (tag=exploit OR tag=malware)) and so on.

Thanks for your help!

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!