...
Analysts working with Devo later use the tag as a way of identifying the log file they want to query using the Finder. When a tag is selected in the Finder, the events in the file are parsed for display in the query window, using the parser associated with that tag.
Devo has pre-defined tags for hundreds of common data sources. This means that Devo is already capable of correctly parsing the data source's events. For more details, read about the supported technologies.
This article describes the following topics related to Devo tags:
...
Tags can be applied to events in a few different ways. The important thing is that all events that are delivered to the Devo Cloud are associated with the correct tag. Tags can be associated to with events:
At the data source. For example, rsyslog offers the ability to associate tags to the data it sends.
By the Devo Relay. Tags are applied by rules that process incoming events depending on the relay entry port.
...
In Devo, tags are composed of multiple elements (or levels), a minimum of two and a maximum of six, separated by dots following this general format:
...
The two first elements, technology, and brand, are mandatory and help to identify and categorize the data source. For example, web.apache or web.nginx are different tag elements used to describe the data sources as web servers, and the brands indicate the vendor.
The type and subtype elements are optional but you will find that in most cases, either one or both are needed to describe the specific data source (log file). Continuing our example, both Apache and Nginx web servers generate logs of several types. As a result, the tags for the Nginx access and error logs are web.nginx.accesslt and web.nginx.error.
For an Apache server, these are web.apache.accesslt and web.apache.error. Now, a company may have several web servers and therefore several access logs. The subtype element is appended to distinguish between logs of the same type by identifying the specific machine that is generating the log events. The subtype can include up to three levels in itself - this can be useful when formulating your subtypes. For example, we could end up with a complete tag like web.apache.error.pro.devo.server1 that identifies events from an Apache Web Server error log generated by the machine pro.devo.server1.
The main rules for the structure of tags are:
Each tag can have up to six levels of detail, the first three being the technology, brand, and type. The subtype can then contain up to three parts.
The tag can only be made of alphanumeric characters and periods. They cannot contain special characters or symbols.
The maximum length of a tag is 50 characters.
Correct Syntax | Incorrect Syntax |
|---|---|
box.unix web.apache web.apache.error.pro.devo.server1 a.b.c | box.unix. is incorrect because it ends with a period. web.apache.error.pro.devo/inc.server1 is incorrect because it contains a special character ( "/" ). a[ ].b.c is also incorrect because it contains special characters ("[]"). |
| Note |
|---|
Consult Devo parsers You can only use the tags in the List of Devo parsers or tags that have been defined for you by the Devo Professional Services team. These are the tags associated with the utility necessary to parse the associated events. In most cases, unless otherwise indicated, the tags are listed by the first few "fixed" levels, and subsequent levels can be user-defined, or "free". |
...
Proprietary logs or data from a product not yet supported by Devo can be marked with the tag my.app. This tag has been defined specifically for all types of common data coming from unknown sources. The first time Devo receives an event with a tag starting with my.app, it will generate a notification to inform you.
...