Event type templates

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Configuration
Example

Event type templates

Create an event type based on a field via eventtypes.conf. For example:

[$NAME %$FIELD%]
$SEARCH_QUERY

Event type templates works a lot like macro searches: %$FIELD% gets filled in at search time with field=foo or field=bar, etc -- whatever the search query yields for that event type's field.

Configuration

When setting the name in eventtypes.conf, follow these specifications:

[$EVENTTYPE]

Header for the event type
$EVENTTYPE is the name of your event type.
You can have any number of event types, each represented by a stanza and any number of the following attribute/value pairs.
- NOTE: If the name of the event type includes field names surrounded by the percent character (e.g. "%$FIELD%") then the value of $FIELD is substituted into the event type name for that event.

Example

[cisco-%code%]
cisco

If "code=432", this event type becomes "cisco-432".

Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.2.1/Admin/EventTypeTemplates"

« Event type discovery Dynamic event rendering »

This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.

Was this topic useful?
Post a comment

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!

Admin Manual

Event type templates

Contents

Event type templates

Configuration

Example

Comments