Splunk Knowledge Objects: Tag vs EventType
Knowledge objects are specified by the users to extract meaning out of our data. It helps us to enrich our data to make them fruitful and easier to search and play with it. Tags and EventTypes are the two most useful KOs in Splunk, today we will try to give a brief hands-on explanation on these two.
Event Types :
I am sure that you all know about Events, therefore event types will be easy for you also. It’s a system to create a category of events based on your own requirements (Types).
Let’s take an example,
Assume we have multiple status codes in our “_internal” index in addition, we want to create an event type for successful status code 200.
Run the search query,
index=_internal sourcetype="splunkd_ui_access" 200
Now Click on Save as > Event Type
NOTE: event type can be created using a search expression, you can’t use any “pipe” (“|”) in your query.
Then we can get your successful status information by searching the event type like this. Search,
Tags help us to group related field values. Tags enable us to assign names to specific fields and value combining. We can create tags based on the field value pairs.
therefore Assume we have status code 404 which is an error status, so we will create a tag for that.
After that click on settings > tags > list by field value pair > add new
Field value pair : status=404
Tag name : 404error
Click on Save
Now you can search your tag like this,
- If we need to search a tag associated with a value in any field, we can use:
In the above example, it would be: tag=404error
- If we are looking for a tag associated with a value in a specified field, we can use:
In the above example, it would be: tag::status=404error
When to use:
These two can look very similar to each other function-wise however, tags allow you to identify based on your field value pairs.
And event types allow you to segregate your event data based on any possible condition.
Important notes :
- You can add multiple tags within an event type. Assume we have two tags for status code 404 and 304 both represent “error HTTP request”. Now we can create one event type named “HTTP Error” and can assign them together within that one event type.
- One can create event type in multiple ways,
- From Splunk web by going setting > event types
- Using eventtypes.conf file
- Using the search interface (as we shown here)
This is all about “Splunk Knowledge Objects: Tag vs EventType“, see you all in the next one.