Configure event types in eventtypes.conf
You can add new event types and update existing event types by configuring eventtypes.conf. There are a few default event types defined in
$SPLUNK_HOME/etc/system/default/eventtypes.conf. Any event types you create through Splunk Web are automatically added to
Important event type definition restrictions
You cannot base an event type on a search that:
- Includes a pipe operator after a simple search.
- Includes a subsearch.
- Is defined by a simple search that uses the
savedsearchcommand to reference a report name. For example, if you have a report named
failed_login_search, you should not use this search to define the event type:
| savedsearch failed_login_search. In this case you should instead use the search string that defines
failed_login_searchas the definition of the event type.
This last point is more of a best practice than a strict limitation. You want to avoid situations where the search string underneath
failed_login_search is modified by another user at a future date, possibly in a way that breaks the event type. You have more control over the ongoing validity of the event type if you use actual search strings in its definition.
- See About event types for more information on event types.
- See About event type priorities for information on event type priorities.
Configuring an event type in eventtypes.conf
Make changes to event types in
$SPLUNK_HOME/etc/system/README/eventtypes.conf.example as an example, or create your own
$SPLUNK_HOME/etc/system/local/, or your own custom app directory in
$SPLUNK_HOME/etc/apps/. See About configuration files in the Admin Manual.
- Header for the event type
$EVENTTYPEis the name of your event type.
- You can have any number of event types, each represented by a stanza and any number of the following attribute/value pairs.
Note: If the name of the event type includes field names surrounded by the percent character (for example,
%$FIELD%) then the value of
$FIELD is substituted at search time into the event type name for that event. For example, an event type with the header
[cisco-%code%] that has
code=432 becomes labeled
disabled = <1 or 0>
- Toggle event type on or off.
- Set to 1 to disable.
search = <string>
- Search terms for this event type.
- For example: error OR warn.
description = <string>
- Optional human-readable description of the event type.
priority = <integer>
- Specifies the order in which matching event types are displayed for an event. 1 is the highest, and 10 is the lowest.
color = <string>
- Color for this event type.
- Supported colors: none, et_blue, et_green, et_magenta, et_orange, et_purple, et_red, et_sky, et_teal, et_yellow.
Note: You can tag
eventtype field values the same way you tag any other field/value combination. See the
tags.conf spec file for more information.
Here are two event types; one is called
web, and the other is called
[web] search = html OR http OR https OR css OR htm OR html OR shtml OR xls OR cgi [fatal] search = FATAL
Disable event types
Disable an event type by adding
disabled = 1 to the event type stanza
[$EVENTTYPE] disabled = 1
$EVENTTYPE is the name of the event type you wish to disable.
So if you want to disable the
web event type, add the following entry to its stanza:
[web] disabled = 1
Automatically find and build event types
Configure event type templates
This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3