Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About event types

Event types are a categorization system to help you make sense of your data. Event types let you sift through huge amounts of data, find similar patterns, and create alerts and reports.

Events versus event types

An event is a single record of activity within a log file. An event typically includes a timestamp and provides information about what occurred on the system being monitored or logged.

An event type is a user-defined field that simplifies search by letting you categorize events. Event types let you classify events that have common characteristics. When your search results come back, they're checked against known event types. An event type is applied to an event at search time if that event matches the event type definition in eventtypes.conf. Tag or save event types after indexing your data.

Event type classification

There are several ways to create your own event types. Define event types via Splunk Web or through configuration files, or you can save any search as an event type. When saving a search as an event type, you may want to use the punct field to craft your searches. The punct field helps you narrow down searches based on the structure of the event.

Use the punct field to search on similar events

Because the format of an event is often unique to an event type, Splunk indexes the punctuation characters of events as a field called punct. The punct field stores the first 30 punctuation characters in the first line of the event. This field is useful for finding similar events quickly.

When you use punct, keep in mind:

  • Quotes and backslashes are escaped.
  • Spaces are replaced with an underscore (_).
  • Tabs are replaced with a "t".
  • Dashes that follow alphanumeric characters are ignored.
  • Interesting punctuation characters are:
",;-#$%&+./:=?@\\'|*\n\r\"(){}<>[]^!"
  • The punct field is not available for events in the _audit index because those events are signed using PKI at the time they are generated.

For an introduction to the punct field and other methods of event classification, see "Classify and group similar events" topic in the User manual.

Punct examples

This event:

####<Jun 3, 2005 5:38:22 PM MDT> <Notice> <WebLogicServer> <bea03> <asiAdminServer> <WrapperStartStopAppMain> <>WLS Kernel<> <> <BEA-000360> <Server started in RUNNING mode>

Produces this punctuation:

####<_,__::__>_<>_<>_<>_<>_<>_

This event:

172.26.34.223 - - [01/Jul/2005:12:05:27 -0700] "GET /trade/app?action=logout HTTP/1.1" 200 2953

Produces this punctuation:

..._-_-_[:::_-]_\"_?=_/.\"__

Event type discovery

Pipe any search to the typelearner command and create event types directly from Splunk Web. The file eventdiscoverer.conf is mostly deprecated, although you can still specify terms to ignore when learning new event types in Splunk Web.

Create new event types

The simplest way to create a new event type is through Splunk Web. Save an event type much in the same way you save a search. For more information, see "Define and maintain event types in Splunk Web" in this manual.

Create new event types by modifying eventtypes.conf. For more about saving searches as event types, see the "Classify and group similar events" topic in the User manual.

Event type tags

Tag event types to organize your data into categories. There can be multiple tags per event. For more information about event type tagging, see the "Tag event types" topic in this manual

Configuration files for event types

Event types are stored in eventtypes.conf.

Terms for event type discovery are set in eventdiscoverer.conf.

PREVIOUS
Configure multivalue fields
  NEXT
Define and maintain event types in Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters