Configure event types directly in eventtypes.conf
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Configure event types directly in eventtypes.conf
You can add new event types and update existing event types by configuring eventtypes.conf. There are a few default event types defined in $SPLUNK_HOME/etc/system/default/eventtypes.conf. Any event types you create through Splunk Web are automatically added to $SPLUNK_HOME/etc/system/local/eventtypes.conf.
Configuration
Make changes to event types in eventtypes.conf. Use $SPLUNK_HOME/etc/system/README/eventtypes.conf.example as an example, or create your own eventtypes.conf.
Edit eventtypes.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see "About configuration files" in the Admin manual.
[$EVENTTYPE]
- Header for the event type
-
$EVENTTYPEis the name of your event type.- You can have any number of event types, each represented by a stanza and any number of the following attribute/value pairs.
- Note: If the name of the event type includes field names surrounded by the percent character (e.g.
%$FIELD%) then the value of$FIELDis substituted at search time into the event type name for that event. For example, an event type with the header[cisco-%code%]that hascode=432becomes labeled </code>[cisco-432]</code>.
search = <string>
- Search terms for this event type.
- For example: error OR warn.
- Note: You cannot create an event type with search commands or the pipe operator. Also, you cannot use tags to define an event type. You may have only one search= entry per eventtype.
isglobal = <1 or 0>
- Toggle whether event type is shared.
- If isglobal is set to 1, everyone can see/use this event type.
- Defaults to 1.
disabled = <1 or 0>
- Toggle event type on or off.
- Set to 1 to disable.
Example
Here are two event types; one is called web, and the other is called fatal.
[web] search = html OR http OR https OR css OR htm OR html OR shtml OR xls OR cgi [fatal] search = FATAL
Disable event types
Disable an event type by adding disabled = 1 to the event type stanza eventtypes.conf:
[$EVENTTYPE] disabled = 1
$EVENTTYPE is the name of the event type you wish to disable.
So if you want to disable the web event type, add the following entry to its stanza:
[web] disabled = 1
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.