Data Sources can have multiple tags assigned to them. The tags act as categorisations of the incoming data. This provides a flexible mechanism to slice and dice data. For example, if we take a look at two data sources containing TransactionServerLogs existing in two different environments or hosts.

Data Source Settings
TransactionServer,prod This data source ingests data only cominig from the prod servers prdsvr0001,prdsvr0002
TransactionServer,uat This data source ingests data cominig from the uat servers uatsvr0001,uatsvr0002

The data in this example has been categorised by the environment and source. It is up to the Administrator or Developer to categorise sources of data in a way that makes sense to users of the system. The tagging gives us flexility at search time to include and exclude data categories as we wish.

To search the system for all TransactionServer related data, the user would start off with a search like this.

| _tag.equals(TransactionServer)
This will return TransactionServer data coming from the uat and prod hosts.

If the user wanted to restrict the results coming only from the uat environment the user must include an extra filter in the search.

| _tag.contains(TransactionServer) _tag.contains(uat)
Since there is an implicit AND between all search terms the search would include results coming from TransactionServer and uat

The following search illustrates results comiing from the uat environment OR prod

| _tag.contains(uat,prod)