About event types
Event types are a categorization system to help you make sense of your data. Event types let you sift through huge amounts of data, find similar patterns, and create alerts and reports.
Note: Using event types as a short cut for search is not recommended. If you want to shorten a portion of a search, it is much better to use a search macro. Search macros are more flexible in what they can express, can include other search commands and not just base query terms, can be parameterized, and do not incur costs when events are retrieved. This can sometimes be easier to manage, because, for example, a single search macro can take the place of multiple event types.
For more information about using search macros, see using search macros in searches.
Event types and the search-time operations sequence
When you run a search, Splunk software runs several operations to derive knowledge objects and apply them to events returned by the search. Splunk software performs these operations in a specific sequence.
Search-time operations order
Event types come seventh in the search-time operations order, before tags but after lookups.
Splunk software processes event types first by priority score and then by ASCII sort order. Search strings that define event types cannot reference tags, because event types are always processed and added to events before tags.
For more information
For more information about search-time operations, see search-time operations sequence.
How event types work
Every event that can be returned by that search gets an association with that event type. For example, say you have this search:
sourcetype=access_combined status=200 action=purchase
If you save that search as an event type named
successful_purchase, any event that can be returned by that search gets
eventtype=successful_purchase added to it at search time. This happens even if you are searching for something completely different.
Note: Using event types can consume a lot of data, because any search attempts to correlate events with any known event type. As more event types are defined, the cost in search performance goes up. You can examine the execution costs of search commands with the
command.search.typer parameter. See search job inspector.
To build a search that works with events that match that event type, include
eventtype=access_combined as a search term.
A single event can match multiple event types. When an event matches two or more event types,
eventtype acts as a multi-value field.
Important event type definition restrictions
You cannot base an event type on a search that:
- Includes a pipe operator after a simple search.
- Includes a subsearch.
- Is defined by a simple search that uses the
savedsearchcommand to reference a report name. For example, if you have a report named
failed_login_search, you should not use this search to define the event type:
| savedsearch failed_login_search. In this case you should instead use the search string that defines
failed_login_searchas the definition of the event type.
This last point is more of a best practice than a strict limitation. You want to avoid situations where the search string underneath
failed_login_search is modified by another user at a future date, possibly in a way that breaks the event type. You have more control over the ongoing validity of the event type if you use actual search strings in its definition.
Creating event types
The simplest way to create a new event type is through Splunk Web. After you run a search that would make a good event type, click Save As and select Event Type. This opens the Save as Event Type dialog, where you can provide the event type name and optionally apply tags to it. For more information about saving searches as event types, see Define and maintain event types in Splunk Web.
You can also create new event types by modifying
eventtypes.conf. For more information about manually configuring event types in this manner, see Configure event types directly in eventtypes.conf.
Event types can have one or more tags associated with them. You can add these tags while you save a search as an event type and from the event type manager, located in Settings > Event types. From the list of event types in this window, select the one you want to edit.
Tag event types to organize your data into categories. There can be multiple tags per event. You can tag an event type in Splunk Web or configure it in
tags.conf. For more information about event type tagging, see Tag event types.
Use event type tags to help track abstract field values such as HTTP access logs, IP addresses, or ID numbers by giving them more descriptive names. Add tags to event types by going to Settings > Event types. Select the event type from the list of event types in this menu.
After you add tags to your event types, search for them in the same way you search for any tag.Let’s say that we have saved a search for page not found as the event type
status=404and then saved a search for failed authentication as the event type
status=403. If you tagged both of these event types with HTTP client error, all events of either of those event types can be retrieved by using the search:
tag::eventtype=HTTP client error
For more information about using tags, see Tag field value pairs in Search.
Event type tags are commonly used in the Common Information Model (CIM) add-on for the Splunk platform in order to normalize newly indexed data from an unfamiliar source type. We can use tags to identify different event types within a single data source.
You can apply CIM-compliant tags to your data.
- From Splunk Web, select Settings > Data Models. Find the data model dataset that you want to map your data to, then identify its associated tags. For example, the
cpu_load_percentobject in the
Performancedata model has the following tags associated with it:
tag = performance
tag = cpu
- Create the appropriate event types in the Events type manager in Splunk Web by going to Settings > Event types. You can also edit the
- Create the appropriate tags in Splunk Web. Select Settings > Event types, locate the event type that you want to tag and click on its name. You can also edit the
For more information about the Common Information Model and event tagging, see Configure CIM-compliant event tags.
About Splunk regular expressions
Define event types in Splunk Web
This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7