Knowledge Management

what is the basic difference between tags and event types

debanjankundu
Explorer

same kind of output generates while using either "Tags" or "Event types".
So what is the exact purpose of this two? When should we use what? What is their basic difference?

jrodman
Splunk Employee
Splunk Employee

For the "when to use" question, I think this is really a workflow thing.

Tags allow people to identify key-value pairs (aka fieldname fieldvalue pairs) that categorize items. This can be done incrementally and collectively. For example, if you notice a host should be tagged as a webserver and it is not, you can add it at the time that you are viewing it. If the tags are shared (not private), this means that some grouping of people can be collaboratively creating these groupings, building shared knowledge.

Eventtypes allow people to create labels based on search expressions. This means you have one definition of what that label that is centrally managed in a single configuration. In cases where that search expression will cover the entire category now and in the future, it can be simpler and more managable, but if if the category definition is an arbitrary list of values, it would be a poor workflow fit for maintenance reasons.

There are probably other differentiators in the messy details, but I think this is the main distinction.

adtetech
Explorer

An eventtype is a search that runs when you specify eventtype=MyEventType; you can think of it like a "pipeless, parameterless macro" or even like a saved search.

A tag is a not-necessarily-unique "nametag" given to a specific, definitive (wildcardless) Key-value-pairing. It is very much like an eventtype but it has the following differences:

An instance of an eventtype name is defined by a single directive inside a single eventtypes.conf file but an instance of a tag name can be defined in an infinite number of separate tags.conf files.

An eventtype definition can use wildcards and have any number of pre-pipe specifications (conjunctions) but a tag definition always contains a singlekey=value pairing.

jrodman
Splunk Employee
Splunk Employee

For typical usecases, I'd describe eventtypes as search language filters, or search language matchers.

They can be used to constrain a search, or just to derive labelling for unconstrained searches.

0 Karma

prakash007
Builder
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...