Documentation > Splunk > Knowledge Manager Manual > Configure event types directly in eventtypes.conf

Knowledge Manager Manual

 


Welcome to knowledge management
Organize and administrate knowledge objects
Data interpretation: Fields and field extractions
Data classification: Event types and transactions
Data enrichment: Lookups and workflow actions
Data normalization: Tags and aliases
Manage your search knowledge
Set up and use summary indexes

Configure event types directly in eventtypes.conf

Contents

Configure event types directly in eventtypes.conf

You can add new event types and update existing event types by configuring eventtypes.conf. There are a few default event types defined in $SPLUNK_HOME/etc/system/default/eventtypes.conf. Any event types you create through Splunk Web are automatically added to $SPLUNK_HOME/etc/system/local/eventtypes.conf.


Configuration

Make changes to event types in eventtypes.conf. Use $SPLUNK_HOME/etc/system/README/eventtypes.conf.example as an example, or create your own eventtypes.conf.

Edit eventtypes.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see "About configuration files" in the Admin manual.

[$EVENTTYPE]

Note: If the name of the event type includes field names surrounded by the percent character (for example, %$FIELD%) then the value of $FIELD is substituted at search time into the event type name for that event. For example, an event type with the header [cisco-%code%] that has code=432 becomes labeled [cisco-432].

disabled = <1 or 0>

search = <string>

tags = <string>

description = <string>

priority = <integer>

Note: You can tag eventtype field values the same way you tag any other field/value combination. See the tags.conf spec file for more information.

Example

Here are two event types; one is called web, and the other is called fatal. 

[web]
search = html OR http OR https OR css OR htm OR html OR shtml OR xls OR cgi

[fatal]
search = FATAL


Disable event types

Disable an event type by adding disabled = 1 to the event type stanza eventtypes.conf: 

[$EVENTTYPE]
disabled = 1

$EVENTTYPE is the name of the event type you wish to disable.

So if you want to disable the web event type, add the following entry to its stanza: 

[web]
disabled = 1
Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.3/Knowledge/Configureeventtypes"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 View the Article History for its revisions.


Comments

Lrhazi: Thanks for catching this. Looks like that change to event type functionality wasn't updated in this topic. It's fixed now.

Mness
September 22, 2010

> Note: You cannot create an event type with searches specifying an index, hosttag, eventtypetag, sourcetype, or the pipe operator.

I am using the index=foo in my eventtype definitions and it seems to work! does it mean my index=foo is ignored, or the above note is wrong?

Lrhazi
September 22, 2010

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!