Module 9: Working with Tags and Event Types Flashcards
Describe what a tag is?
- Tags are like nicknames that you create for related field/value pairs
- Tags make your data more understandable and less ambiguous
- You can create one or more tags for any field/value combination
- Tags are case sensitive
How do you create a tag?
- Click on the arrow for event details
- Under Actions, click the down arrow
- Select Edit TAgs
- Name the tags, separated by commas
When tagged field/value pairs are selected, the tags appear how?
- In the results as tags
- In parentheses next to the associated field/value pairs
How do you use tags in a search?
Use the syntax: tag=
To search for a tag associated with a value:
- tag=
example: tag=privileged
To search for a tag associated with a value on a specific field:
- tag::=
example: tag::user=privileged
To search for a tag using a partial field value:
- use (*) wildcard
example: tag=p*
How do you manage tags when list by field value pair?
- settings
- tags
- list by field value pair
You can also: - edit permissions
- disable all tags for pair - disables the tag in searches and prevents it from being listed under List by Tag Name and All unique tag objects
How do you add/change the tag name?
Click list by field value pair to add another tag or change the name of the tag
How do you add/change the field value pair?
Click list by tag name to add or edit the field value pair for the tag
Describe event types?
- A method of categorizing events based on a search
- A useful method for institutional knowledge capturing and sharing
- Can be tagged to group similar types of events
How do you create an event type from the search page?
- Run a search and verify that all results meet your event type criteria
- From the save as menu, select event type
- Provide a name for your event type (name should not contain spaces)
How would you use the event type builder?
- From the event details, select event actions > build event type
- Refine the criteria for your event type such as
- search string
- field values
- tags - Verify your selections and click save
Must be a basic search (cannot contain pipes or subsearches)
How would you verify the event type?
Search for eventtype=web_error
Where does the event type display?
In the Fields sidebar and can be added as a selected field
When does Splunk evaluate the events?
Splunk evaluates the events and applies the appropriate event types at search time
What can you do when using the fields sidebar?
You can easily view the individual event types, the number of events, and percentage
How can you tag event types?
You can tag event types 2 ways:
- Settings > Event types
- Event details > Actions
How do event types compare to saved reports?
Event type:
- categorize events based on a search string
- tag event types to organize data into categories
- the eventtype field can be included in a search string
- does not include a time range
Saved Reports:
- search criteria will not change
- includes a time range and formatting of the results
- can be shared with Splunk users and added to dashboards
