Splunk Cloud Platform

Knowledge Manager Manual

Tag event types

Tag event types to add information to your data. Any event type can have multiple tags. For example, you can tag all firewall event types as firewall, tag a subset of firewall event types as deny and tag another subset as allow. Once an event type is tagged, any event type matching the tagged pattern will also be tagged.

Note: You can tag an event type when you create it in Splunk Web or configure it in eventtypes.conf.

Add tags to event types using Splunk Web

Splunk Web enables you to view and edit lists of event types.

  • Navigate to Settings > Event types.
  • Locate the event type you want to tag and click on its name to go to its detail page.
    • Note: Keep in mind that event types are often associated with specific Splunk apps. They also have role-based permissions that can prevent you from seeing and/or editing them.
  • On the detail page for the event type, add or edit tags in the Tags field.
  • Click Save to confirm your changes.

Once you have tagged an event type, you can search for it in the search bar with the syntax tag::<field>=<tagname> or tag=<tagname>:

tag=foo

tag::host=*local*

Last modified on 23 May, 2017
Tag the host field   Create field aliases in Splunk Web

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters