Special Devo tags
There are a number of Devo tags that were designed to be used only in special circumstances. Some of these tags are meant to be used to send data to Devo, while others are tags applied by Devo to describe particular types of data tables.
Tags beginning with my.app can describe two types of data.
Tables created by injecting existing data
When you inject data into a new table, the new table will always be assigned the prefix my.app.
Events for which there is no Devo tag
When you want to send events to Devo from a source for which there is no Devo tag, you can create your own tag using my.app as the prefix. This can happen with proprietary data sources or publicly-available sources for which Devo has not yet created a tag (and therefore, there's no associated parser).
A note about creating Devo tags
The Devo professional services team can create new tags for any kind of data source. Just contact customer support for details.
The full tag should have at least four levels and may have up to six. The first two are fixed as my.app. The third and fourth levels are free and should describe the application type and event type respectively. The fifth and sixth levels are optional and should be used to identify the actual source of the events. For example, if there are several servers running the application and reporting events to Devo, these levels can help identify the event's specific event source.
|my||app||free and required|
free, not required but highly recommended
|free, not required||free, not required|
When Devo receives an event with a tag that begins with my.app, it saves the event to a file and location determined by the tag levels and adds the first four levels of the tag to the finder. However, since Devo is not equipped with a parser for this event type, when you open the data table, each event row will have only a few fields:
- eventdate This is the date/time the event was received by Devo.
- cluster This is the fifth level of the tag (if it was used).
- instance This is the sixth level of the tag (if it was used).
- message This contains the unparsed content as it was received.
You can manually parse the content of the message field using the column operations available in the query window. Then, when you've parsed all the fields into columns, create a custom table. From this point, you can use the custom table to consult the data parsed into columns.
This tag is used to test event sending after you have set up a new event source, Devo relay, or to test a relay rule. Events that are received with this tag are saved in the test.keep.free table which you can consult to confirm that your events have been sent correctly and with the correct data.
my.sythesis and my.blend
A tag beginning with my.synthesis or my.blend identifies a custom table; either a new table created from that contents of another table, or a union of two tables. When you create a custom table, you can choose between these two prefixes when you assign a name to the new table. See Create a custom table for more information.
To help differentiate between the types of tables created in your domain, we recommend that you use my.synthesis for custom tables and my.blend for union tables.
These tags are not used to send data to Devo.
This is a special table where Devo saves any inbound event that has no tag or has a tag that it doesn't recognize. This can also happen if the hostname of the machine where the Devo Relay is installed contains dots (for example, relay.host.name).
If you see this table in the Finder, it is a clear message that some events are not being tagged correctly. You should review to contents of the table and investigate why the events are not tagged correctly.
Create an alert that notifies the domain administrators when new events are saved to this table.
Because the event was not correctly tagged, Devo is unable to parse the event fields so the event's message content is saved in a single column called message. The other columns in the unknown.unknown data table are:
- eventdate - when the event was received by Devo
- level - event's the syslog level
- hostchain - the event's source machine; both hostname and IP address if available
The combination of the information provided should help you identify the data source and take steps to correct the tagging problem.