How event types work
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
How event types work
Event types are a categorization system to help you make sense of your data. Event types let you sift through huge amounts of data, find similar patterns, and create alerts and reports. Event types are a default field that is indexed with events. Tag and save event types after indexing.
Events versus event types
Events are a single record of activity within a log file. An event typically includes a timestamp and provides information about what occurred on the system being monitored or logged.
Event type is a user-defined field that simplifies search by letting you categorize events. Event types classify events that have common characteristics. Tag or save event types after indexing your data.
Event type classification
There are several ways to create your own event types. Define event types via Splunk Web or through configuration files, or you can save any search as an event type. When saving a search as an event type, you may want to use the punct field to craft your searches. The punct field helps you narrow down searches based on the structure of the event.
punct field
Because the format of an event is often unique to an event type, Splunk indexes the punctuation characters of events as a field called punct. The punct field stores the first 30 punctuation characters in the first line of the event. This field is useful for finding similar events quickly.
When you use punct, keep in mind:
- Quotes and backslashes are escaped.
- Spaces are replaced with an underscore (_).
- Tabs are replaced with a "t".
- Dashes that follow alphanumeric characters are ignored.
- Interesting punctuation characters are: " ,;-#$%&+./:=?@\\'|*\n\r\"(){}<>[]^!"
Also see the Splunk Tutorial section about punct for a quick introduction.
punct examples
This event:
####<Jun 3, 2005 5:38:22 PM MDT> <Notice> <WebLogicServer> <bea03> <asiAdminServer> <WrapperStartStopAppMain> <>WLS Kernel<> <> <BEA-000360> <Server started in RUNNING mode>
Produces this punctuation:
####<_,__::__>_<>_<>_<>_<>_<>_
This event:
172.26.34.223 - - [01/Jul/2005:12:05:27 -0700] "GET /trade/app?action=logout HTTP/1.1" 200 2953
Produces this punctuation:
..._-_-_[:::_-]_\"_?=_/.\"__
Event type discovery
Pipe any search to the new typelearner command and create event types directly from Splunk Web. The file eventdiscoverer.conf is mostly deprecated, although you can still specify terms to ignore when learning new event types in Splunk Web.
Learn more about event type discovery.
Create new event types
The simplest way to create a new event type is through Splunk Web. Save an event type much in the same way you save a search. Learn more about saving event types.
Create new event types by modifying eventtypes.conf. Learn more about creating new event types.
Event type tags
Tag event types to organize your data into categories. There can be multiple tags per event. Learn more about tagging event types
Configuration files for event types
Event types are stored in eventtypes.conf.
Terms for event type discovery are set in eventdiscoverer.conf.
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.