Still confused probably both can be used to quickly query for a specific attribute.
Yes.
Does this mean I should only add fields when I do not need to do conditionals in my filter? Otherwise if i just need to quickly search I can do it through a field? Or if my purpose is to find an event, on say kibana, I should use a field or tag?
Either way, really. Tags are a way of attaching boolean values to events, i.e.
{
"tags": [
"foo",
"bar"
]
}
isn't much different from this:
{
"foo": true,
"bar": true
}
Apart from the obvious difference in syntax there's another thing: In the latter case a new "tag value" created as a field will affect the mapping of the type but adding a new string to the tags list (which is just a regular Logstash field) won't.
In the end a tag is just a special-purpose field used as a shorthand for slapping, well, a tag onto a document.