Configure event type templates
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Configure event type templates
Event type templates create event types at search time. Define event type templates in eventtypes.conf. Edit eventtypes.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/.
For more information on configuration files in general, see "About configuration files" in the Admin manual.
Event type template configuration
Event type templates use a field name surrounded by percent characters to create event types at search time where the %$FIELD% value is substituted into the name of the event type.
[$NAME-%$FIELD%] $SEARCH_QUERY
So if the search query in the template returns an event where %$FIELD%=bar, Splunk creates an event type titled $NAME-bar for that event.
Example
[cisco-%code%] search = cisco
If a search on "cisco" returns an event that has code=432, Splunk creates an event type titled "cisco-432".
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.