Tag event types
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Tag event types
Tag event types to add information to your data. Any event type can have multiple tags. For example, you can tag all firewall event types as firewall, tag a subset of firewall event types as deny and tag another subset as allow. Once an event type is tagged, any event type matching the tagged pattern will also be tagged.
Note: You can tag an event type when you create it in Splunk Web or configure it in eventtypes.conf.
Add tags to event types using Manager
Splunk Manager enables you to view and edit lists of event types.
- Navigate to Manager > Event types.
- Locate the event type you want to tag and click on its name to go to its detail page.
- Note: Keep in mind that event types are often associated with specific Splunk apps. They also have role-based permissions that can prevent you from seeing and/or editing them.
- On the detail page for the event type, add or edit tags in the Tags field.
- Click Save to confirm your changes.
Once you have tagged an event type, you can search for it in the search bar with the syntax tag::<field>=<tagname> or tag=<tagname>:
tag=footag::host=*local*This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 View the Article History for its revisions.