Configure eventtypes.conf
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Configure eventtypes.conf
Add your own event types by configuring eventtypes.conf. There are a few default event types defined in $SPLUNK_HOME/etc/system/default/eventtypes.conf. Any event types you create through Splunk Web are automatically added to $SPLUNK_HOME/etc/system/local/eventtypes.conf.
Configuration
Make changes to event types in eventtypes.conf. Use $SPLUNK_HOME/etc/system/README/eventtypes.conf.example as an example, or create your own eventtypes.conf. Edit eventtypes.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.
[$EVENTTYPE]
- Header for the event type
- $EVENTTYPE is the name of your event type.
- You can have any number of event types, each represented by a stanza and any number of the following attribute/value pairs.
- Note: If the name of the event type includes field names surrounded by the percent character (e.g. "%$FIELD%") then the value of $FIELD is substituted into the event type name for that event. For example, an event type with the header [cisco-%code%] that has "code=432" becomes labeled "cisco-432".
search = <string>
- Search terms for this event type.
- For example: error OR warn.
tags = <string>
- Space separated words that are used to tag an event type.
isglobal = <1 or 0>
- Toggle whether event type is shared.
- If isglobal is set to 1, everyone can see/use this event type.
- Defaults to 1.
disabled = <1 or 0>
- Toggle event type on or off.
- Set to 1 to disable.
Example
[web] search = html OR http OR https OR css OR htm OR html OR shtml OR xls OR cgi [fatal] search = FATAL
Disable event types
Disable specific event types by adding the following tag to $SPLUNK_HOME/etc/system/local/eventtypes.conf:
[$EVENTTYPE] disabled = 1
$EVENTTYPE is the name of the event type you wish to disable.
So if you want to disable the [web] event type, add the following entry to ../local/eventtypes.conf:
[web] disabled = 1
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.