How event types work
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
How event types work
Event types are a categorization system to help you make sense of your data. They are one of the most powerful ways in which Splunk creates order out of IT chaos. Event types let you sift through huge amounts of data, find similar patterns, and create alerts and reports. Event types are a default search field that is indexed with events. You can also tag and save event types after indexing.
Events versus event types
Events are a single record of activity within a log file. An event typically includes a timestamp and provides information about what occurred on the system being monitored or logged.
Event types are a user-defined search field that categorizes events to simplify searching. Event types classify events that have common characteristics. You can be tag or save event types after indexing your data.
Event type classification
By default, Splunk auto-discovers event types in your data. There are several ways to create additional event types. You can define event types or increase the level of auto-discovery through configuration files, or you can save any search as an event type. When saving a search as an event type, you may want to use the punct field to craft your searches. The punct field helps you narrow down searches based on the structure of the event.
punct field
Because the format of an event is often a powerful part of defining an event type, Splunk indexes the punctuation characters of events as ansearch field called punct. This field may seem cryptic at first. However, it is a powerful way of finding similar events quickly.
When Splunk classifies an event, it looks at the first 30 punctuation characters in the first line of the event. Event punctuation is stored in the punct field and is used for event type discovery.
When you use the punct field, keep in mind:
- Quotes and backslashes are escaped.
- Spaces are replaced with an underscore (_).
- Tabs are replaced with a "t".
- Dashes that follow alphanumeric characters are ignored.
- Interesting punctuation characters are: " ,;-#$%&+./:=?@\\'|*\n\r\"(){}<>[]^!"
Also see the Splunk Tutorial section about punct for a quick introduction.
punct examples
This event:
####<Jun 3, 2005 5:38:22 PM MDT> <Notice> <WebLogicServer> <bea03> <asiAdminServer> <WrapperStartStopAppMain> <>WLS Kernel<> <> <BEA-000360> <Server started in RUNNING mode>
Produces this punctuation:
####<_,__::__>_<>_<>_<>_<>_<>_
This event:
172.26.34.223 - - [01/Jul/2005:12:05:27 -0700] "GET /trade/app?action=logout HTTP/1.1" 200 2953
Produces this punctuation:
..._-_-_[:::_-]_\"_?=_/.\"__
Auto-discovery
Splunk automatically finds and labels event types as data enters the index. Events are classified into event types based on data patterns such as punctuation and key/value pairs. By default, event type auto-discovery is tuned low. You can turn up discovery by configuring eventdiscoverer.conf.
Learn more about configuring auto-discovery.
Create new event types
The simplest way to create a new event type is through SplunkWeb. You can save an event type much in the same way you save a search.
Learn more about saving event types.
You can also create a new event type by modifying eventtypes.conf. Learn more about creating new event types.
Event type tags
You can also tag events types to allow you to organize your data into categories. There can be multiple tags per event.
Learn more about tagging event types
Configuration files for event types
Event types are stored in eventtypes.conf.
Event type discovery is controlled by eventdiscoverer.conf.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.