Tag event types
Tag event types to add information to your data. Any event type can have multiple tags. For example, you can tag all firewall event types as firewall, tag a subset of firewall event types as deny and tag another subset as allow. Once an event type is tagged, any event type matching the tagged pattern will also be tagged.
Note: You can tag an event type when you create it in Splunk Web or configure it in eventtypes.conf.
Add tags to event types using Splunk Web
Splunk Web enables you to view and edit lists of event types.
- Navigate to Settings > Event types.
- Locate the event type you want to tag and click on its name to go to its detail page.
- Note: Keep in mind that event types are often associated with specific Splunk apps. They also have role-based permissions that can prevent you from seeing and/or editing them.
- On the detail page for the event type, add or edit tags in the Tags field.
- Click Save to confirm your changes.
Once you have tagged an event type, you can search for it in the search bar with the syntax tag::<field>=<tagname>
or tag=<tagname>
:
tag=foo
tag::host=*local*
Tag the host field | Create field aliases in Splunk Web |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)
Feedback submitted, thanks!