I have a very straightforward Event Type: index="windows" sourcetype="WinHostMon" source="service"
. I want it to apply the tags "service" and "report".
I have created the Event Type and given everyone read permissions in all apps and only the admin write permissions. If I paste the Event Type search into the search bar, I see the events that I want. I can see the field "eventtype=windows_service" in the field bar. But when I click on the "tag" or "tag:eventtype" fields, I am not seeing that "service" or "report" are being applied to the events.
I feel like I'm taking crazy pills...
There are two different items in your question: eventtype, and tags.
EVENT TYPES
First, just try a search
index="windows" eventtype=windows_service | head 5
You should see 5 events. This means your eventtype code is working. If so, then look at the next thing, if not, then revisit your eventtype definitions.
TAGS
Next, try the same search using the tag instead.
index="windows" tag=service | head 5
You should still see 5 events, but perhaps not the same five, though. This means your tag code is working. If not, then revisit your tag definitions.
eventtype=windows_service | head 5 returns five events as expected. But the tags associated with that Event Type are not being applied. Searching on "tag=service tag=report" only returns events for different Event Types...
I am facing the same issue as you.. can't figure out what's wrong
when searching for tag=service or tag=report, the events from the EventType don't show up?
Or another way to ask this when you have eventtype=windows_service in your search and you see the events, if you expand an event does it show a tag field with the tags you mentioned?
Is this a single instance Splunk server? Where are you making the changes?
When searching on "tag=service AND tag=report", events do not show up.
When searching on eventtype="windows_service", events do not show up.
When searching on the windows_service Event Type criteria (index=windows sourcetype=WinHostMon source=service), events show up but without the windows_service eventtype.
I do see the windows_hostmon event type is successfully applying the "os" and "windows" tags to events, but mine isn't working. And I have another Event Type called windows_process that is nearly identical and is working perfectly.
I'm creating the Event Types on an ES search head that searches a 3 node index cluster.
I'm noticing that other Event Types and their associated tags are not being applied to matching events.
How do I troubleshoot this?
I am thinking it might be a permissions issue. However the fact you can manually search and see the events should discount that. I am looking into how to troubleshoot this I will post any findings I have.