Tag event types

Tag event types to add information to your data. Any event type can have multiple tags. For example, you can tag all firewall event types as firewall, tag a subset of firewall event types as deny and tag another subset as allow. Once an event type is tagged, any event type matching the tagged pattern will also be tagged.

Note: You can tag an event type when you create it in Splunk Web or configure it in eventtypes.conf.

Add tags to event types using Splunk Web

Splunk Web enables you to view and edit lists of event types.

  • Navigate to Settings > Event types.
  • Locate the event type you want to tag and click on its name to go to its detail page.
    Note: Keep in mind that event types are often associated with specific Splunk apps. They also have role-based permissions that can prevent you from seeing and editing them.
  • On the detail page for the event type, add or edit tags in the Tags field.
  • Click Save to confirm your changes.

Once you have tagged an event type, you can search for it in the search bar with the syntax tag::<field>=<tagname> or tag=<tagname>: 

tag=foo
tag::host=*local*

Use macros with event types and tags

When using macros containing concatenated expressions in searches with event types and tags, enclose the macro definitions with parentheses.

Note: Ignore this section if you don't use macros in your searches.

To ensure that Splunk software correctly expands macros containing concatenated expressions in searches with event types and tags, enclose your macro definitions with parentheses.

See Use search macros in searches

Example 1: A search without a macro

Say you save the following search string as an event type called IDtest, which includes an implicit AND that concatenates two expressions:

index=_internal sourcetype=splunk_btool

Then, you tag your IDtest event type with the IDtag tag and run the following search in Splunk Web: 

index=_audit OR tag="IDtag"

Splunk expands the search string with the tag as follows:

litsearch(index=_audit OR (index=_internal sourcetype=splunk_btool))

This expanded search string will fetch events that have index=_audit, or events that have index=_internal and sourcetype=splunk_bool. As a result, all events in the _audit index will be included in the search results regardless of their source type.

Example 2: A search with a macro

Now, say instead of saving that long search string to your IDtest event type like you did in the first example, you define a macro called ID_macro that runs the same search: 

index=_internal sourcetype=splunk_btool

Then, you run the same search in Splunk Web as before: 

index=_audit OR tag="IDtag"

This time, the search string is the equivalent of the following search:

(index=_audit OR `ID_macro`)

Now, when Splunk software expands this search string, it looks like this: 

litsearch (index=_audit OR index=_internal sourcetype=splunk_btool)

As you can see, this expanded search string is missing the parentheses around the two expressions that follow the OR operator. As a result, this search string has a different meaning than the search string in the first example. This search will fetch all events in the _audit or _internal index that have sourcetype=splunk_bool; events in the _audit index will only be included in the search results if their source type is splunk_bool.

Because the parentheses are missing from the macro expansion, you don't get the search results you expect. To get the same behavior as the first example, just add parentheses in the macro definition, like this:

(index=_internal sourcetype=splunk_btool)

Then, the next time you run your search, the macro will expand with the parentheses and your event types and tags will work as intended.