Group similar events using event types
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Group similar events using event types
It looks like you are going to be running a lot of searches on these particular events: index="test" sourcetype="weblog" OR sourcetype="J2EElog" OR sourcetype="APIlog". You want a fast way to search on them and to be able to combine them with other searches and to see which events are of this type. Splunk lets you group events together using event types, cross-referenced searches that categorize events at search time. Event types are helpful when you want to specify a class of events to search on; you can also choose to see a list of all the event types for each result in your search.
This section gives a quick overview of event types and shows how to create and use a CONTENT_EVENTS event type that pulls the events from your three types of application logs together -- weblogs, j2eelogs, and apilogs.
Understand event types
Technically, an event type is a search string that you save with a name and a priority. When you run any search, you can choose to see what event types the results belong to. For example, it's very common to build an event type that grabs all your important errors; the definition for this ends up looking something like FAIL* OR WARN* OR ERROR NOT IGNORE_THIS NOT THIS_IS_NOT_SERIOUS_EITHER. You give this event type a name, like ERRORS_I_CARE_ABOUT or BIG_TROUBLE, and any time you search, you can have that name displayed on each event that matches, even if you didn't use the event type in the search. This lets you pick your labeled events out of a lineup.
Some other things to know about event types:
- If an event matches multiple event types, all of the matching event types are displayed on the event. You can prioritize event types to control the order in which they display, so you'd give
BIG_TROUBLEpriority 1 to make sure it shows up ahead of yourALL_NETWORK_DEVICESevent type any time an event has both. - You can see event types in your results by clicking on eventtype in the Field menu and selecting Show in results.
- You can incorporate an event type into a longer search, by combining it with other terms, and/or using it in pipes - anywhere the expanded search would make sense.
- You can make an event type global or scope it to a specific app.
- Not every search can be an event type; there are some restrictions.
- For more information about event types, see Define and maintain event types in the Knowledge manual.
Create an event type
This section shows how to create an event type that restricts your search to events that are directly related to customer and application activity. This means events coming from the web logs, J2EE logs, or API logs. You can also use the event type to look for events from the test index.
1. Go to Manager > Event types.
2. Click New.
3. Make sure search is selected for the Destination App.
4. Enter CONTENT_EVENTS for Name. Since you type event types directly into the search bar, you cannot use spaces in the name.
5. Enter the following search string:
index=test sourcetype=apilog OR sourcetype=j2eelog OR sourcetype=weblog
6. Enter 5 for the Priority. Priority is a number between 1 and 10 that determines the order in which event type names are displayed in search results. Lower numbers have higher priority. In general, reserve low numbers, like 1 or 2, for event types that are important to you, such as errors or critical events.
7. Click Save.
See Adding an event type in the Knowledge manual for more information.
Use the event type in a search
Behind the scenes, running an event type creates a new field, eventtype, in your data. Use this field to search for events that match your event type. This gives exactly the same results as entering the search string directly.
1. Click Back to Search to return to the Search app.
2. Enter the following in the search box:
eventtype="CONTENT_EVENTS"3. Press Enter/Return or click the > button to run the search.
4. To show event types in your results, go to the field menu at the lower left.
5. Click on eventtype in the Other interesting fields section. You see a pop-up histogram window.
6. Click on Select/show in results.
7. The event type is shown at the bottom of each matching result, along with the source, source type, and host.
Combine an event type with other search entries
You can include an event type in a more complex search. For example, you can look for any failures in your CONTENT_EVENTS logs
1. Enter
eventtype="CONTENT_EVENTS" fail*Notice that you can combine matching on an event type or other field with matching raw text. Splunk is very flexible and allows you to partially structure your data and use as much or as little of that structure as you want. When you add more structure, you can still use everything that worked for your unstructured data.
2. Press Enter or Return to run the search. You will see a list of different types of failures from different logs. These failures appear in different fields, but by matching only on the string, you found all of them.
#### 2010-03-22 15:26:12,141
nameSpace: content.static.API
subscriberID: 6058876876
callerID: TTCOV106965256-5140819
driver: content.jdbc.ContentDriver
callerAction: MAR10132LA
host: 10.52.60.107
connectionResult: FAILURE
Details: Waiting for instruction from method: InquireAccountProfile; unable to respond to caller
<TRANSACTION date="2010-03-22 15:26:12,076" activityCode="1020" sequenceNumber="106965256" callerID="MAR10132LA" accountNumber="COT6058876876 subscriberID="6058876876" transactionStatus="WAITING" result="FAILURE" host="10.52.60.107" comment="Waiting for API: API Not responding" />
Note: Something to be aware of in Splunk is that when you search on a field, the search is case-sensitive, for example, result="FAIL*" will match FAILURE but will not match failure in the result field. But when you search on an arbitrary string, without any field structure, results are case-insensitive, for example, "FAIL*" will catch both FAILURE and failure. This is because it seems reasonable to assume that if you use a field, you have some idea of the format of the results you want, while if you search on arbitrary text, you may have less knowledge about your events.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.