eventtypes.conf
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
eventtypes.conf
eventtypes.conf stores definition and tags for event types, whether they were discovered by Splunk automatically or defined by users in SplunkWeb.
IMPORTANT: If you want to disable any event type from eventtypes.conf, you can either:
- delete the eventtype from
$SPLUNK_HOME/etc/bundles/default/eventtypes.confor you can - add the tag
priority = 0to any event type entry.- you can set
priority = 0in$SPLUNK_HOME/etc/bundles/local/eventtypes.conffor any entry in../default/eventtypes.confto override the default entry.
- you can set
eventtypes.conf.spec
Copyright (C) 2005-2007 Splunk Inc. All Rights Reserved. Version 3.0
# This file contains all the possible values for eventtype entries in a
# eventtypes.conf file.
# A configuration looks like:
# [<eventtype name>]
# attribute1 = val1
# ...
[<eventtype name>]
* Name of the eventtype (header)
query = <string>
* Actual query terms of this eventtype (i.e. error OR warn)
userid = <integer>
* UserId that is bound to this splunk, use "1" for admin
Possible values: Any splunk user id.
isglobal = <integer>
* If isglobal is set to 1, everyone can see/use this search
( Possible values: 1/0 ).
tags = <string>
* Space separated words that are used to tag an eventtype
eventtypes.conf.example
# Copyright (C) 2005-2007 Splunk Inc. All Rights Reserved. Version 3.0 # # EXAMPLE of eventtype # # This simple example shows how to create an eventtype. # Pre-defined eventtypes are found in $SPLUNK_HOME/etc/bundles/local/eventtypes.conf. [error] # query the search will be executing query = error OR fatal tags = error problem alert important
This documentation applies to the following versions of Splunk: 3.1.4 View the Article History for its revisions.