Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Configure event types directly in eventtypes.conf

You can add new event types and update existing event types by configuring eventtypes.conf. There are a few default event types defined in $SPLUNK_HOME/etc/system/default/eventtypes.conf. Any event types you create through Splunk Web are automatically added to $SPLUNK_HOME/etc/system/local/eventtypes.conf.


Make changes to event types in eventtypes.conf. Use $SPLUNK_HOME/etc/system/README/eventtypes.conf.example as an example, or create your own eventtypes.conf.

Edit eventtypes.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see "About configuration files" in the Admin manual.


  • Header for the event type
  • $EVENTTYPE is the name of your event type.
    • You can have any number of event types, each represented by a stanza and any number of the following attribute/value pairs.

Note: If the name of the event type includes field names surrounded by the percent character (for example, %$FIELD%) then the value of $FIELD is substituted at search time into the event type name for that event. For example, an event type with the header [cisco-%code%] that has code=432 becomes labeled [cisco-432].

disabled = <1 or 0>

  • Toggle event type on or off.
  • Set to 1 to disable.

search = <string>

  • Search terms for this event type.
  • For example: error OR warn.

tags = <string>

  • Space separated words that are used to tag an event type.

description = <string>

  • Optional human-readable description of the event type.

priority = <integer>

  • Splunk uses this value to determine the order in which it displays matching event types for an event. 1 is the highest, and 10 is the lowest.

Note: You can tag eventtype field values the same way you tag any other field/value combination. See the tags.conf spec file for more information.


Here are two event types; one is called web, and the other is called fatal.

search = html OR http OR https OR css OR htm OR html OR shtml OR xls OR cgi

search = FATAL

Disable event types

Disable an event type by adding disabled = 1 to the event type stanza eventtypes.conf:

disabled = 1

$EVENTTYPE is the name of the event type you wish to disable.

So if you want to disable the web event type, add the following entry to its stanza:

disabled = 1
Define and maintain event types in Splunk Web
Configure event type templates

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Lrhazi: Thanks for catching this. Looks like that change to event type functionality wasn't updated in this topic. It's fixed now.

September 22, 2010

> Note: You cannot create an event type with searches specifying an index, hosttag, eventtypetag, sourcetype, or the pipe operator.<br /><br />I am using the index=foo in my eventtype definitions and it seems to work! does it mean my index=foo is ignored, or the above note is wrong?

September 22, 2010

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters