Data onboarding - defining event types and tags

Event types in Splunk are a way of categorizing common types of events in your data to make them easier to search and report on. One advantage of using event types is that they can assist in applying a common classification to similar events. Event types essentially turn chunks of search criteria into field/value pairs. Tags help you search groups of event data more efficiently and can be assigned to any field/value combination, including event types.

For example, Windows log-on events could be given an event type of windows_logon, Unix log-on events could be given an event type of unix_logon, and VPN log-on events could be given an event type of vpn_logon. We could then tag these three event types with a tag of logon_event. A simple search for tag="logon_event" would then search across the Windows, Unix, and VPN source types and return all the log-on events. Alternatively, if we want to search only for Windows log-on events, we will search for eventtype=windows_logon.

This recipe will show how to define event types and tags for use with the sample data. Specifically, you will define an event type for successful web server events.

For more information on event types and tags in Splunk, check out
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Abouteventtypes and
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Abouttagsandaliases.