Module 9: Working with Tags and Event Types

Question 1

Describe what a tag is?

Answer 1

• Tags are like nicknames that you create for related field/value pairs
• Tags make your data more understandable and less ambiguous
• You can create one or more tags for any field/value combination
• Tags are case sensitive

Question 2

How do you create a tag?

Answer 2

1. Click on the arrow for event details
2. Under Actions, click the down arrow
3. Select Edit TAgs
4. Name the tags, separated by commas

Question 3

When tagged field/value pairs are selected, the tags appear how?

Answer 3

• In the results as tags

- In parentheses next to the associated field/value pairs

Question 4

How do you use tags in a search?

Answer 4

Use the syntax: tag=

Question 5

To search for a tag associated with a value:

Answer 5

• tag=

example: tag=privileged

Question 6

To search for a tag associated with a value on a specific field:

Answer 6

• tag::=

example: tag::user=privileged

Question 7

To search for a tag using a partial field value:

Answer 7

• use (*) wildcard

example: tag=p*

Question 8

How do you manage tags when list by field value pair?

Answer 8

• settings
• tags
• list by field value pair
  You can also:
• edit permissions
• disable all tags for pair - disables the tag in searches and prevents it from being listed under List by Tag Name and All unique tag objects

Question 9

How do you add/change the tag name?

Answer 9

Click list by field value pair to add another tag or change the name of the tag

Question 10

How do you add/change the field value pair?

Answer 10

Click list by tag name to add or edit the field value pair for the tag

Question 11

Describe event types?

Answer 11

• A method of categorizing events based on a search
• A useful method for institutional knowledge capturing and sharing
• Can be tagged to group similar types of events

Question 12

How do you create an event type from the search page?

Answer 12

1. Run a search and verify that all results meet your event type criteria
2. From the save as menu, select event type
3. Provide a name for your event type (name should not contain spaces)

Question 13

How would you use the event type builder?

Answer 13

1. From the event details, select event actions > build event type
2. Refine the criteria for your event type such as
   - search string
   - field values
   - tags
3. Verify your selections and click save
   Must be a basic search (cannot contain pipes or subsearches)

Question 14

How would you verify the event type?

Answer 14

Search for eventtype=web_error

Question 15

Where does the event type display?

Answer 15

In the Fields sidebar and can be added as a selected field

Question 16

When does Splunk evaluate the events?

Answer 16

Splunk evaluates the events and applies the appropriate event types at search time

Question 17

What can you do when using the fields sidebar?

Answer 17

You can easily view the individual event types, the number of events, and percentage

Question 18

How can you tag event types?

Answer 18

You can tag event types 2 ways:

1. Settings > Event types
2. Event details > Actions

Question 19

How do event types compare to saved reports?

Answer 19

Event type:

• categorize events based on a search string
• tag event types to organize data into categories
• the eventtype field can be included in a search string
• does not include a time range

Saved Reports:

• search criteria will not change
• includes a time range and formatting of the results
• can be shared with Splunk users and added to dashboards