eventtypes.conf
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
eventtypes.conf
Eventtypes.conf stores definition and tags for event types, whether they were discovered by Splunk automatically or defined by users via the SplunkWeb interface.
To edit this configuration for your local Splunk server, make your edits in $SPLUNK_HOME/etc/bundles/local/eventtypes.conf.
You can create this file by copying examples from $SPLUNK_HOME/etc/bundles/README/eventtypes.conf.example.
Never edit files in our default bundle in $SPLUNK_HOME/etc/bundles/default or your changes may be overwritten in an upgrade.
eventtypes.conf.spec contents
# Copyright (C) 2005-2007 Splunk Inc. All Rights Reserved. Version 3.0
# This file contains all the possible values for eventtype entries in a
# eventtypes.conf file.
# A configuration looks like:
# [<eventtype name>]
# attribute1 = val1
# ...
[<eventtype name>]
* Name of the eventtype (header)
name = <string>
* Actual displayed name of the eventtype splunk.
query = <string>
* Actual query terms of this eventtype (i.e. error OR warn)
userid = <integer>
* UserId that is bound to this splunk, use "1" for admin
Possible values: Any splunk user id.
isglobal = <integer>
* If isglobal is set to 1, everyone can see/use this search
( Possible values: 1/0 ).
tags = <string>
* Space separated words that are used to tag an eventtype
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 View the Article History for its revisions.