SPLK-1002 Creating Tags and Event Types

Creating Tags and Event Types Detailed Explanation

Tags and event types in Splunk help streamline searches and organize data efficiently. Tags make searches more intuitive by assigning labels to field values, while event types categorize events based on specified criteria for easier management and analysis.

1. Tags

1.1. What Are Tags?

Tags are labels applied to specific field values to:

• Make searches simpler and more meaningful.
• Group similar field values under a single tag.
• Allow quick retrieval of related events using the tag.

1.2. How to Create Tags

Tags can be created directly from the Splunk Web interface during a search.

Steps to Create a Tag

1. Perform a search to locate the field value you want to tag.
2. In the search results, locate the desired field (e.g., status_code) and expand its values.
3. Click the Tag button next to the field value.
4. Add one or more tags for the value.

Example

• Field: status_code
• Value: 404
• Tag: ClientError

Query:

search tag=ClientError

Result: Returns all events where status_code=404.

1.3. Use Cases for Tags

1. Simplifying Searches

   • Instead of remembering specific field-value pairs, you can use intuitive tags.

   • Example:

     • Without Tags:

       index=web_logs status_code=404 OR status_code=500
       

     • With Tags:

       search tag=ClientError OR tag=ServerError
       

2. Grouping Related Field Values

   • Assign the same tag to multiple field values to group them under one label.
   • Example:
     • Tag ClientError for status_code=400, 401, 403, 404.

3. Streamlining Collaboration

   • Tags provide a shared vocabulary for team members working on the same dataset.

2. Event Types

2.1. What Are Event Types?

Event types are saved searches that:

• Categorize events based on specific conditions.
• Allow consistent and reusable groupings of events.
• Simplify monitoring and analysis by labeling event categories.

2.2. How to Create Event Types

Event types are configured in the Splunk Web interface.

Steps to Create an Event Type

1. Navigate to Settings > Event Types.
2. Click New Event Type.
3. Define:
   • Search String: The query that identifies the events to include.
   • Name: A descriptive name for the event type.
   • Color (optional): Assign a color for easy identification in dashboards.

Example

• Search String: status_code=500
• Event Type Name: ServerError

Query:

search eventtype=ServerError

Result: Retrieves all events where status_code=500.

2.3. Use Cases for Event Types

1. Grouping Similar Events

   • Example: Create event types for HTTP response categories:

     • ClientError: status_code=400-499
     • ServerError: status_code=500-599

   • Query:

     search eventtype=ClientError
     

2. Monitoring Specific Events

   • Use event types to define critical events for monitoring:
     • HighCPU: cpu_usage > 90
     • HighMemory: memory_usage > 80
   • Monitor these event types in dashboards.

3. Applying Tags to Event Types

   • Tags can be applied to event types for added flexibility:

     search tag=CriticalAlert
     

3. Best Practices

3.1. For Tags

1. Use descriptive tag names.
   • Example: Use CriticalError instead of Error1.
2. Keep tags consistent across datasets.
   • Example: Use the same tag for similar status codes in multiple logs.
3. Avoid overly broad tags.
   • Example: Avoid tagging all status_code values as HTTP.

3.2. For Event Types

1. Use precise search strings to avoid misclassification.
   • Example: status_code>=500 AND status_code<600 instead of status_code>499.
2. Use colors for quick identification in dashboards.
3. Regularly review and update event types to reflect changing requirements.

4. Practical Exercises

Exercise 1: Create a Tag

1. Perform a search to identify status_code=404.

2. Create a tag ClientError for this value.

3. Query:

   search tag=ClientError
   

4. Task: Verify that the query retrieves events with status_code=404.

Exercise 2: Create an Event Type

1. Create an event type for status_code=500 named ServerError.

2. Query:

   search eventtype=ServerError
   

3. Task: Verify that the query retrieves events with status_code=500.

Exercise 3: Apply Tags to Multiple Values

1. Assign the tag ClientError to the following values: 400, 401, 403, 404.

2. Query:

   search tag=ClientError
   

3. Task: Confirm that events with any of these status_code values are retrieved.

Exercise 4: Combine Tags and Event Types

1. Create an event type for high CPU usage:

   cpu_usage > 90
   

   Name it HighCPU.

2. Assign a tag CriticalAlert to the HighCPU event type.

3. Query:

   search tag=CriticalAlert
   

4. Task: Verify that events with high CPU usage are retrieved.

5. Advanced Use Cases

5.1. Hierarchical Tags

Tags can be used to create a hierarchy for categorizing events. For example, you can assign broader and more specific tags to the same field value.

Example: HTTP Status Codes

1. Assign multiple tags to status_code=404:

   • Tag 1: Error
   • Tag 2: ClientError

2. Query:

   search tag=Error
   

   Result: Retrieves all error events, including both client and server errors.

3. Query:

   search tag=ClientError
   

   Result: Retrieves only client-side errors.

5.2. Dynamic Event Types

Event types can incorporate dynamic elements, allowing them to adapt to changing data.

Example: High Resource Usage Alerts

Define an event type to detect high CPU or memory usage dynamically:

(cpu_usage > 90 OR memory_usage > 80) AND host="*prod*"

• Name: HighResourceUsage

• Query:

  search eventtype=HighResourceUsage
  

Result: Captures events where either CPU or memory usage exceeds thresholds, specifically on production hosts.

5.3. Combining Tags with Event Types

You can combine tags and event types for a more granular and intuitive search experience.

Example: Tagging Critical Event Types

1. Define an event type for high error rates:

   index=web_logs status_code=500 OR status_code=503
   

   Name: ServerError

2. Assign the tag CriticalAlert to this event type.

3. Query:

   search tag=CriticalAlert
   

Result: Retrieves all critical alerts, including server errors.

5.4. Applying Tags to Multivalue Fields

Tags can be applied to multivalue fields, which contain multiple entries for a single event.

Example: Tagging Categories

1. Field: categories

   • Value: ["electronics", "home_appliances"]

2. Assign tags:

   • electronics → TechProducts
   • home_appliances → HomeGoods

3. Query:

   search tag=TechProducts
   

Result: Retrieves events where categories include "electronics".

6. Troubleshooting Common Issues

6.1. Tags Not Recognized in Queries

Cause

• The tag was not applied correctly or is missing for the relevant field value.

Solution

1. Revisit the tag configuration:
   • Go to Settings > Tags and verify that the tag is applied to the correct field value.
2. Check the spelling of the tag in your query.

6.2. Event Types Overlapping

Cause

• Overlapping search criteria may cause multiple event types to match the same event.

Solution

1. Define distinct and non-overlapping search criteria for each event type.

   eventtype=ClientError → status_code=400-499
   eventtype=ServerError → status_code=500-599
   

2. Use priority to ensure Splunk applies the most relevant event type:

   • Higher priority (lower numerical value) takes precedence.

6.3. Performance Issues with Event Types

Cause

• Complex or inefficient search strings in event types.

Solution

1. Simplify the search string:

   • Avoid redundant conditions.

   status_code>=500 AND status_code<600
   

   Instead of:

   (status_code=500 OR status_code=501 OR status_code=502 ...)
   

2. Filter early:

   • Restrict the time range or source in the event type:

     index=web_logs earliest=-1h status_code=500
     

7. Optimization Strategies

7.1. Use Descriptive and Intuitive Names

• Assign clear, meaningful names to tags and event types.
  • Example:
    • Tag: CriticalAlert
    • Event Type: HighMemoryUsage

7.2. Leverage Colors for Event Types

• Assign colors to event types for better visualization in dashboards or reports.

7.3. Regularly Review and Update Tags/Event Types

• Periodically evaluate tags and event types to ensure they align with current business needs.

8. Practical Exercises

Exercise 1: Create a Hierarchical Tag Structure

1. Assign the following tags to status_code=404:

   • Error
   • ClientError

2. Query:

   search tag=Error
   

   Task: Verify that the query retrieves all error events.

Exercise 2: Create a Dynamic Event Type

1. Define an event type for high CPU usage on production hosts:

   cpu_usage > 90 AND host="*prod*"
   

   Name: HighCPU_Prod

2. Query:

   search eventtype=HighCPU_Prod
   

   Task: Ensure only events matching the criteria are retrieved.

Exercise 3: Combine Tags and Event Types

1. Create an event type for HTTP 5xx errors named ServerError.

2. Assign the tag CriticalAlert to this event type.

3. Query:

   search tag=CriticalAlert
   

4. Task: Verify that the query retrieves all server errors tagged as critical alerts.

Exercise 4: Optimize an Event Type

1. Simplify this event type for status_code=500-599:

   status_code=500 OR status_code=501 OR status_code=502
   

2. Optimized Version:

   status_code>=500 AND status_code<600
   

3. Task: Test the optimized event type for faster performance.

9. Summary of Key Points

1. Tags:

   • Simplify searches by grouping field values under intuitive labels.
   • Can be hierarchical, allowing broad and specific categorizations.

2. Event Types:

   • Save complex searches to consistently categorize events.
   • Use priority and distinct search criteria to manage overlaps effectively.

3. Best Practices:

   • Use descriptive names for clarity.
   • Regularly review and optimize tags and event types for performance.

Creating Tags and Event Types (Additional Content)

1. Creating Tags Manually via Settings Interface

While tags can be created ad hoc from the search results UI, Splunk also allows manual, predefined tag configuration using the Settings menu. This approach is particularly useful for controlled environments or enterprise deployments.

How to Create Tags via Settings:

1. Go to Settings > Fields > Tags.

2. Click “Add New”.

3. Select the field (e.g., status_code) and value (e.g., 404) to be tagged.

4. Assign a meaningful tag (e.g., ClientError).

5. Choose app context and permissions (read/write access).

6. Save.

Use Case:

• This method allows centralized tag management.

• Tags defined in this way can be version-controlled and deployed across environments.

2. How to View Tags and Event Types from Search

Splunk provides multiple ways to inspect which tags or event types are already associated with your data.

View Tags and Event Types via Search:

• To view tags on events:

  search tag=ClientError
  

• To view event types:

  search eventtype=ServerError
  

Pro Tip – Show All Tagged Fields in Raw Events:

To see how tags are mapped:

| tags

This command outputs tag information for the events in your result set.

3. Using tag::<field>=<value> Syntax

Splunk supports a search-time tagging syntax that is useful in advanced searches or for targeting specific field-value combinations.

Syntax Format:

tag::<field>=<value>

Example:

search tag::status_code=404

• This retrieves events where the field status_code has the value 404 and is tagged accordingly.

Use Case:

• Precise targeting in large or noisy datasets.

• Helpful in complex correlation rules or in Enterprise Security deployments.

4. Role-Based Note: Who Can Create Tags and Event Types

Not all users can save or configure tags and event types.

Required Roles:

• Admin or roles with write access to knowledge objects are required to:

  • Create or modify tags and event types in the Settings menu.

  • Save event types during search result interaction (e.g., "Save as Event Type").

Implications:

• Students or junior users in a shared environment may see tags and event types but cannot create or edit them unless granted appropriate permissions.

• In exam scenarios, this may appear as a multiple-choice detail.

Updated Practical Exercise (with Role Context)

Exercise: Create a Tag via Settings

Role Required: admin or a role with knowledge object write permissions.

Steps:

1. Navigate to Settings > Tags.

2. Add a tag:

• Field: status_code

• Value: 404

• Tag: ClientError

3. Save and verify with the search:

search tag=ClientError

Task: Confirm that the event with status_code=404 appears in the results.

Summary of Key Additions

1. Manual Tag Creation:

• Tags can be configured directly via Settings > Tags for enterprise-scale management.

2. Search-Time Inspection:

• Use search tag=value or | tags to discover existing tag mappings.

3. Tag Field Syntax:

• tag::<field>=<value> provides precise control when querying for tagged values.

4. Permissions Reminder:

• Creating or modifying tags/event types via Settings requires admin-level roles or equivalent capabilities.