Advanced Tutorial
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Advanced Tutorial
Event Types
Event types come in two forms:
- Local event types have a numeric value preceeded by ? For example, ?14 or ?234.
- Global event types have an alphanumeric value like SP-CAAAE8K that shows they've been looked up and matched at Splunk Base. Every Splunk user around the world who encounters an event of this type will be able to refer to it by this label unambiguously when discussing it or sharing data samples with other Splunkers.
Tags
Tags let Splunk users share their knowledge about event types and hosts both locally with colleagues, and globally with all Splunk users everywhere.
How tags work
Tags are arbitrary labels human users apply to create an informal "folksonomy" that encapsulates what Splunk users collectively know about an event type or a host. One tag, such as failure, can be applied to many event types or hosts. One event type or host can have many tags, such as IBM DB2 locking problem.
Tagging an event type
To add, edit or remove tags from an event type or host, click the menu button to the right of the event type. A dialog box with the current tags for the event type will pop up.
Tagging a host
To add, edit or remove tags from an event type or host, click the menu button to the right of the event type. A dialog box with the current tags for the event type will pop up.
Live Splunks
(Splunk Professional only)
Live Splunks are like cron jobs that run Saved Splunks instead of shell commands. A Live Splunk can be set up to run at a certain interval or at a certain time. It can be configured to search a specific time window, such as from exactly 3:00 AMto exactly 4:00 AM.
Alerts
Live Splunks are configurable to notify one or more users whenever certain results paramaters are met, such as more than 100 results or an increase of more than 10 percent. The server can either send an email, run a shell command, update an RSS feed or all of the above whenever its alert threshold is met.
Report Splunks
(Splunk Professional only)
Splunk's report:: can run SQL select statements on your Splunk results to create tabular reports. You can then export the results as a text file or in comma-separated-values (CSV) format. Using report:: in a Live Splunk is a good way to set up management reports that arrive via email.
This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.