Database Reference
In-Depth Information
Note that itemid=EST-14 has been tagged as ITEM14
Tags enable you to search more easily and to convey meaning about the field val-
ues. When you search
tag=ITEM14
, all the cases where
itemid=EST-14
show
up. By using tags in this manner, you can facilitate your analysis.
Setting event types
Another way of preparing data to be reported is to set event types, which let you put
events into categories. When setting event types, you can use wildcards, field values, and
Boolean expressions. This capability makes event types more versatile and powerful than
tags, for which you can only use field values. As with tags, you can choose the categories
you like.
When setting event types, be aware of the following:
1. You can't do a sub-search to create an
Event type
.
2. You can't use pipes in a search that create an
Event type
.
As an example of how to create an
Event type
, take the following steps using the
buttercupgames
file:
◦ Enter this into the search bar:
sourcetype="access_*" status=200
action=purchase
◦ This creates a search for events where the sourcetype is an accessed web
page, the access was successful (status=200), and it ended in a purchase:
