Knowledge Management

What are the definitions of Tag and Eventtype and what are the differences between the two?

kedjjang
Explorer
  1. What is the definition of the [Tag] is?

  2. What is the definition of the [Eventtype] is?

  3. What is the point of difference between the [Tag] and [eventtype] is?

Tags (2)
1 Solution

woodcock
Esteemed Legend

An eventtype is a search that runs when you specify eventtype=MyEventType; you can think of it like a "pipeless, parameterless macro" or even like a saved search.

A tag is a not-necessarily-unique "nametag" given to a specific, definitive (wildcardless) Key-value-pairing. It is very much like an eventtype but it has the following differences:

An instance of an eventtype name is defined by a single directive inside a single eventtypes.conf file but an instance of a tag name can be defined in an infinite number of separate tags.conf files.

An eventtype definition can use wildcards and have any number of pre-pipe specifications (conjunctions) but a tag definition always contains a singlekey=value pairing.

There is an extremely high degree of use-case overlap between the 2 constructs. For example, if you would like to identify all lab servers you could create a single eventtype like this:

[LAB_EVENTS]
search = host=LAB* OR host=xyz OR host=PDQ

Then you search like this:

eventtype=LAB_EVENTS

Or you could use several tags like this:

[host=LAB1]
lab=enabled
[host=LAB2]
lab=enabled
[host=LAB3]
lab=enabled
[host=xyz]
lab=enabled
[host=PDQ]
lab=enabled

Then you search like this:

tag="lab"

View solution in original post

woodcock
Esteemed Legend

An eventtype is a search that runs when you specify eventtype=MyEventType; you can think of it like a "pipeless, parameterless macro" or even like a saved search.

A tag is a not-necessarily-unique "nametag" given to a specific, definitive (wildcardless) Key-value-pairing. It is very much like an eventtype but it has the following differences:

An instance of an eventtype name is defined by a single directive inside a single eventtypes.conf file but an instance of a tag name can be defined in an infinite number of separate tags.conf files.

An eventtype definition can use wildcards and have any number of pre-pipe specifications (conjunctions) but a tag definition always contains a singlekey=value pairing.

There is an extremely high degree of use-case overlap between the 2 constructs. For example, if you would like to identify all lab servers you could create a single eventtype like this:

[LAB_EVENTS]
search = host=LAB* OR host=xyz OR host=PDQ

Then you search like this:

eventtype=LAB_EVENTS

Or you could use several tags like this:

[host=LAB1]
lab=enabled
[host=LAB2]
lab=enabled
[host=LAB3]
lab=enabled
[host=xyz]
lab=enabled
[host=PDQ]
lab=enabled

Then you search like this:

tag="lab"

anwarmian
Communicator

Nice examples, Woodcock!!!  Eventtype is quite easy to understand but tag with enabled/disabled <field><value> is not always clear to a lot of people.   

On, the other hand, the whole eventtype can also be tagged in tags.conf like the following

[eventtype=LAB_EVENTS]
lab = enabled

0 Karma

splunkreal
Motivator

Great explanation woodcock, could you give sample results based on those event types and tags?

Thanks.

* If this helps, please upvote or accept solution 🙂 *
0 Karma

woodcock
Esteemed Legend

Look at how the Common Information Model app uses each:
https://docs.splunk.com/Documentation/CIM/latest/User/Overview

0 Karma

ddrillic
Ultra Champion

@realsplunk, please keep in mind that Event types are intended for data classification whereas Tags are for data normalization - so, from design perspective, they are very different.

woodcock
Esteemed Legend

I disagree. I use tags for classification all the time; for example a host can be either production or development.

0 Karma

HeinzWaescher
Motivator

Is there a big difference regarding the performance between eventypes and tags?

arihant16cse
Path Finder

can you tell me when i will use tags and when used eventtypes

0 Karma

woodcock
Esteemed Legend

Use tags when you don't need wildcards. Use eventtypes when you do need wildcards. Always prefertags`.

0 Karma

woodcock
Esteemed Legend

Check out the Knowledge Object Explorer app. With a small number, there is no difference but the more apps and configurations you add, there can be HUGE performance differences between the two.
https://splunkbase.splunk.com/app/2871/

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...