In this tutorial, I’ll discuss the importance of creating event types and tags in Splunk. Creating event types and tags may seem simple, but taking the steps to categorize your data early on is crucial when building your data model. Here’s a guide for using event types and tags in Splunk.
Tags allow us to search across different data sources for specific types of events.
How to Create and Use Event Types and Tags in Splunk
- Utilize event types and tags to categorize events within your data, making searching easier to collectively look at your data.
- Match your actions with your tag names. For example, if your field pair value is action = purchase, your tag name will be purchase. You can create custom values if there is a specific type of information you want to see.
- Within Enterprise Security, there are a lot of dashboards and searches that run off information that’s being pushed to the data models. Not only should that information be CIM compliant, but it also needs to have event types and tags because it’s looking for those specific types of that information.
- Within a data model, there could be different types of events there. Examples of events: logins, logoffs, timeouts, lockouts, etc. Use tags and event types to categorize these events, rather than just using your default fields and index and source types, allowing your data models to quickly identify what data you’re looking for.
- Tagging and naming with event types is an essential step BEFORE you start building your data models and save you time in the long run.
If you found this helpful…
You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.
Cue Atlas Assessment: a customized report to show you where your Splunk environment is excelling and opportunities for improvement. Once you download the app, you’ll get your report in just 30 minutes.