Define and maintain event types in Splunk Web

Define and maintain event types in Splunk Web

Any search that does not contain a search command or involve a "pipe" operator can be saved as an event type. A single event can match multiple event types.

Any event types you create through Splunk Web are automatically added to eventtypes.conf in $SPLUNK_HOME/etc/users/<your-username>/<App>/local/, where <App> is the App you were in when you created the event type. If you change the permissions on the event type to make it available to all users (either in the app, or globally to all apps), Splunk moves the event type to $SPLUNK_HOME/etc/apps/<App>/local/.

Save a search as an event type

To save a search as an event type:

• Enter the search and run it.
• Select the Actions... dropdown and click Save as event type...

The Save Event Type dialog box will pop up, pre-populated with your search terms.

• Name the event type.
• Optionally add one or more tags for the event type, comma-separated.
• Click Save.

You can now use your event type in searches:

Add and maintain event types in Manager

The Event Types page in Manager enables you to view and maintain details of the event types that you have created or which you have permission to edit. You can also add new event types through the Event Types page. Event types displayed on the Event Types page may be available globally (system-wide) or they may apply to specific Apps.

Adding an event type in Manager

To add an event type through Manager, navigate to the Event Types page and click New. Splunk takes you to the Add New event types page.

From this page you enter the new event type's Destination App, Name, and the Search string that ultimately defines the event type (see "Save a search as an event", above).

Note: All event types are initially created for a specific App. To make a particular event type available to all users on a global basis, you have to locate the event type on the Event Types page, click its Permissions link, and change the This app only selection to All apps.

You can optionally include Tags for the event type. For more information about tagging event types and other kinds of Splunk knowledge, see "About tags and aliases" in this manual.

You can also optionally select a Priority for the event type, where 1 is the highest priority and 10 is the lowest. The Priority setting is important for common situations where you have events that fit two or more event types. When the event turns up in search results, Splunk displays the event types associated with the event in a specific order. You use the Priority setting to ensure that certain event types take precedence over others in this display order.

If you have a number of overlapping event types, or event types that are subsets of larger ones, you may want to give the precisely focused event types a higher priority. For example, you could easily have a set of events that are part of a wide-ranging system_error event type. Within that large set of events, you could have events that also belong to more precisely focused event types like critical_disc_error and bad_external_resource_error.

In a situation like this, you could give the system_error event type a Priority of 10, while giving the other two error codes Priority values in the 1 to 5 range. This way, when events that match both system_error and critical_disc_error appear in search results, the critical_disc_error event type is always listed ahead of the system_error event type.

Maintaining event types in Manager

To update the details of an event type, locate it in the list on the Event Types page in Manager, and click its name. Splunk takes you to the details page for the event type, where you can edit the Search string, Tags, and Priority for the event type, if you have the permissions to do so. You can also update permissions for event types and delete event types through the Event Types page, if you have edit permissions for them.

• Was this topic useful?
• Post a comment