Event types

Event types

Splunk allows you to classify events that have common characteristics and save them as a value in the eventtype field. Examples of event types include all ssh logins and all sendmail syslog messages. Editing, tagging, and naming such event types helps the Splunk server learn and improve its performance.

In this tutorial, you will search for a specific event and save your results as an event type which you can later apply to a new search.

Find similar events

Search for all events in the sampledata index:

Because the format of an event is often a powerful part of defining an event type, Splunk indexes the punctuation characters of events as a field called punct. This field, while it looks cryptic at first, is a powerful way of finding similar events quickly.

To activate the punct field:

1. Click the FIelds... menu.

2. From the list of fields, check the punct field.

3. Select Apply.

The punct filter menu now appears below the timeline.

4. Click on this menu to view a list of the 10 punct values that are most common in your results:

5. Add a filter to your search for the most common punct value in sampledata, which might be:

Your results update to include only events in the sample data that have a matching punctuation scheme.

Save as event type

We want to save the last search as an event type. First, let's add "logout" to the search string:

Now, the results are all sampledata events with the punctuation scheme that are logout actions.

To save your results as an event type:

1. Click the search bar menu.

2. Choose Save as event type...

3. In the Save Event Type dialog box, name your event type "trade_app_logouts".

4. Click Save.

Now you can include your new event type in a search.

Note: If your event type name contains spaces, the spaces will be replaced with underscores and the tags will not be saved. When naming the event type, do not include spaces.

Search for an event type

Let's search for all events in sampledata again.

1. After the search results load, activate the eventtype field filter.

2. From this field filter, choose trade_app_logouts.

Notice that eventtype=trade_app_logout appears as a field in your results, underneath each event:

3. Now, you can add the filter to your search:

• Click on Add filter to search, or
• In the events list, click on a highlighted instance of the field.

You search string updates to:

Note: Identifying and saving an event type means you can search for it directly. In fact, if you know the field name and value, you do not need to activate the field filter to add it to your search.

You can also click on the down-arrow to the right of the eventtype instance to perform the following options:

• Report on all event types
• Search for this event type
• Tag event type
• Rename event type
• Delete event type

Tag an event type

You can tag event types that have very different search terms and punctuation patterns with common words, then find all events of types that have any tag. This is a great way to create higher level classifications like "logouts" that cross different logout event types from different applications.

You can also tag hosts with one or more words describing their function or type, enabling users to easily search for all activity on a group of similar servers. Tagging hosts is useful for knowledge capture and sharing and for crafting more precise searches.

See the section in our Admin manual on Host tagging.

Automated event type discovery

Splunk automatically discovers event types based on seeing a large number of events sharing common characteristics. You can edit, delete, rename, and tag event types that Splunk discovers. You can also make your own event types by saving any search as an event type.

Learn how to use automated event type discovery in Splunk Web.

You can also change the settings that determine which keywords are considered in event type discovery in its eventdiscoverer.conf configuration file. Learn how to configure eventdiscoverer.conf.

• Was this topic useful?
• Post a comment