Tags vs Fields


(Michael Li Zhou) #1

Here is a simple question yet I do not know the difference: what is the difference between a tag and a field?


(Mark Walkom) #2

A field is a subset of the event/document.

A tag is an attribute you can apply to either do conditional based filter on, or to make it easier for searching.


(Michael Li Zhou) #3

Still confused probably both can be used to quickly query for a specific attribute. Does this mean I should only add fields when I do not need to do conditionals in my filter? Otherwise if i just need to quickly search I can do it through a field? Or if my purpose is to find an event, on say kibana, I should use a field or tag? Thanks

Mike


(Magnus B├Ąck) #4

Still confused probably both can be used to quickly query for a specific attribute.

Yes.

Does this mean I should only add fields when I do not need to do conditionals in my filter? Otherwise if i just need to quickly search I can do it through a field? Or if my purpose is to find an event, on say kibana, I should use a field or tag?

Either way, really. Tags are a way of attaching boolean values to events, i.e.

{
  "tags": [
    "foo",
    "bar"
  ]
}

isn't much different from this:

{
  "foo": true,
  "bar": true
}

Apart from the obvious difference in syntax there's another thing: In the latter case a new "tag value" created as a field will affect the mapping of the type but adding a new string to the tags list (which is just a regular Logstash field) won't.

In the end a tag is just a special-purpose field used as a shorthand for slapping, well, a tag onto a document.


How do I query for a tag in Kibana?
(system) #5