About tags and aliases

In your data, you might have groups of events with related field values. To help you search more efficiently for these particular groups of event data, you can assign tags to their field values. You can assign one or more tags to any field/value combination (including event type, host, source, or source type).

You can use tags to:

• Help you track abstract field values, like IP addresses or ID numbers. For example, you could have an IP address related to your main office with the value 192.168.1.2. Tag that IPaddress value as mainoffice, and then search on that tag to find events with that IP address.
• Use one tag to group a set of field values together, so you can search on them with one simple command. For example, you might find that you have two host names that relate to the same computer. You could give both of those values the same tag. When you search on that tag, events involving both host name values are returned.
• Give specific extracted fields multiple tags that reflect different aspects of their identity, which enable you to perform tag-based searches that help you quickly narrow down the results you want. To understand how this could work, see the following example.

Example:

Let's say you have an extracted field called IPaddress, which refers to the IP addresses of the data sources within your company intranet. You can make IPaddress useful by tagging each IP address based on its functionality or location. You can tag all of your routers' IP addresses as router. You can also tag each IP address based on its location, for example: SF or Building1. An IP address of a router located in San Francisco inside Building 1 could have the tags router, SF, and Building1.

To search for all routers in San Francisco that are not in Building1, you'd search for the following:

tag=router tag=SF NOT (tag=Building1)