Creating Tags and Event Types

Question 1

What are Tags?

Answer 1

Tags allow you to designate descriptive names for key-value pairs that make your data more understandable.

Question 2

True or False: Tag values are case sensitive

Answer 2

True.

Question 3

Tags can be used in a search with ______.

Answer 3

• A tag value
• A partial tag value with a wildcard
• A tag associated with a specific

Question 4

What is the syntax for searching for a tag associated with a value on a specific field?

Answer 4

tag::<field>=<tag></tag></field>

Ex.
tag::user=privileged

Question 5

What are the different ways to manage tags

Answer 5

• List by field value pair
• List by tag name
• All unique tag objects

*Note you will have different editing options depending on which option you choose.

Question 6

What is the syntax when searching for a tag associated with a value?

Answer 6

tag=<tagname></tagname>

Question 7

How do you search for a tag using a partial field value?

Answer 7

Using a wildcard (*)

Ex.
tag=p*

Question 8

Tags make your data _____

Answer 8

More understandable and less ambiguous.

Question 9

True or false: you can create one or more tags for any field/value combination.

Answer 9

True.

Question 10

What are event types?

Answer 10

Event types allow you categorize events based on search terms.

Question 11

How do you create an event type?

Answer 11

By saving a search as an event type using the drop down.

Question 12

What is the difference between event types and saved reports?

Answer 12

Event Types:
- Categorize events based on a search string
- Use tags to organize
- Allow you to use the eventtype field within a search string
- Do NOT include a time range

Saved Reports:
- Used when the search criteria will not change
- When time range and formatting is needed
- Share with other Splunk users
- Add to dashboards

Question 13

When multiple event types with different color values are assigned to the same event, what determines the color displayed for the event?

Answer 13

Priority determines the order of the event type listing in the expanded event.

Priority determines which event type color displays.

Question 14

What is the difference between event types and saved searches?

Answer 14

Saved Search:
1. Search criteria will not change
2. Includes a time range and formatting of the results
3. Can be shared with Splunk users and added to dashboards

Event Types:
1. Categorize events based on a search string
2. Tag event types to organize data into categories
3. The eventtype field can be included in a search string
4. Does not include a time range

Question 15

True or False: Event Types include a time range

Answer 15

False.

Question 16

Describe the strengths of event types.

Answer 16

• Categorize events based on a search string
• Tag event types to organize data into categories
• The eventtype field can be included in a search string
• Does not include a time range
• A useful method for institutional knowledge capturing and sharing
• Can be tagged to group similar types of events

Question 17

What are valid ways to create an event type?

Answer 17

Event Type Builder:
- From the event details, select Event Actions > Build Event Type

From the search page:
- From the save as menu, select Event Type