Documentation > Splunk > Admin Manual > eventdiscoverer.conf

Admin Manual

 


Getting Started
How Splunk Works
Configuring a Splunk Deployment
Data Inputs
Hosts
Source Types
Timestamp Recognition
Events
Event Types
Meta Events
Fields
Segmentation
Saved Searches and Alerts
Authentication
Granular Access Control
Data Distribution
Distributed Search
Deployment Server
Index Management
Bundles
SplunkBase
Performance Tuning
Routine Maintenance
How-To
Troubleshooting
Reference

eventdiscoverer.conf

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

eventdiscoverer.conf

Eventdiscover.conf controls whether and how Splunk attempts to automatically learn new event types.


To edit this configuration for your local Splunk server, make your edits in $SPLUNK_HOME/etc/bundles/local/eventdiscoverer.conf.


You can create this file by copying examples from $SPLUNK_HOME/etc/bundles/README/eventdiscoverer.conf.example.


Never edit files in our default bundle in $SPLUNK_HOME/etc/bundles/default or your changes may be overwritten in an upgrade.


eventdiscoverer.conf.spec 

use_any_keyword = <boolean> (default = "true")
        * If true, eventtypes discovered can be generated from any
          keyword the algorithm finds useful for clustering events;
          otherwise, only keywords in the known_keywords list are used
          for generating eventtype.
ignored_keywords = <comma-separate list of term> (default = "sun, mon, tue,...")
        * Terms in this list are never considered for defining an
          eventtype.  If you find that eventtypes have terms you do
          not want considered (e.g., "mylaptopname"), add that term to
          this list.
known_keywords = <comma-separate list of term> (default = "300, 301, 302,...")
        * If use_any_keyword is false, only terms in this list are
          considered for defining an eventtype.  If you find that
          eventtypes aren't being discovered with terms that you
          think should be discovered and you have use_any_keyword = false,
          consider adding terms to this list or changing
          use_any_keyword to be true.
max_format_len = <integer> (1-300. default = "5" characters)
        * Determines the maximum length of the punct:: attribute added
          to eventtypes.  The larger the value, the more attention is
          paid to the structure of events vs the keywords in them.
learned_eventtype_priority = <integer> (1-10. default = "1")
        * The priority value for learned eventtypes.  A lower value
          means lower priority.
process_every_n_events = <integer> (between 1-inf.  default = "5" events)
        * Consider every N events to discover eventtypes.  The larger
          the value, the faster indexing will be, but the lower the
          rate at which eventtypes will be discovered.
Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.0.2/Admin/Eventdiscovererconf"

This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!