Classify and group similar events
The names of the matching event types for an event are set on the event, in a multivalued field called
eventtype. You can search for these groups of events (for example, SSH logins) the same way you search for any field value.
This topic discusses how to save event types and use them in searches. For more information about events, how Splunk recognizes them, and what it does when it processes them for indexing, see the "Overview of event processing" topic in the Getting Data In manual.
Save a search as a new event type
When you search your event data, you're essentially weeding out all unwanted events. Therefore, the results of your search are events that share common characteristics, and you can give them a collective name.
For example, if you often search for failed logins on different host machines, you can create an event type for the events that your search finds and call it
"failed login" OR "FAILED LOGIN" OR "Authentication failure" OR "Failed to authenticate user"
To save this search as an eventtype:
1. Run the search. Once the search is running, click Create and select Event type... You don't have to wait for the search to complete to do this.
2. In Save As Event Type, give your search a Name. For our search example, we'll name it "failed_login".
If necessary, you can modify the Search string field, which should be populated automatically with the search you just ran.
You can also optionally add a list of tags that should be applied to the event type in the Tag(s) field. For more about this see the subsection about tagging event types, below.
3. Click "Save" to save your event type name.
Now, you can quickly search for all the events that match this event type the same way you can search for any field.
For example, you may be interested it in finding failed logins on specific host machines:
Or you may want to investigate a suspicious user's activities:
Important event type definition restrictions
In addition, you cannot base an event type on a search that references a search job. For example, if you took the search in the previous example and saved it with the name
failed_login_search, you can't create an event type that is defined by the search
savedsearch=failed_login_search. In a case like this you should always give the event type the same search string as the search job.
Identify similar events with punct
Because the punctuation of an event is often unique to a specific type of event, Splunk indexes the punctuation characters of event in the
punct field. The values of this field may look cryptic, but they can be an effective way of characterizing similar events.
To apply the
punct field to your search results, use the Fields popup discussed in the "Use fields to search" topic in the Splunk Tutorial. Select the
punct value for an SSH login event. This updates your search to include this
punct combination in the search bar. You may want to consider wildcarding the punctuation to match insignificant variations (for example, "punct=::*/*").
Use typelearner to discover new event types
Pass any of your searches into the
typelearner command to see Splunk's suggestions for event types. By default,
typelearner compares the punctuation of the events resulting from the search, grouping those that have similar punctuation and terms together.
You can specify a different field for Splunk to group the events;
typelearner works the same way with any field. The result is a set of events (from your search results) that have this field and phrases in common.
For more information and examples, see "typelearner" in the Search Reference.
Event types can have one or more tags associated with them. You can add these tags while you save a search as an event type and from the event type manager, located in Manager > Event types. From the list of event types in this window, select the one you want to edit.
After you add tags to your event types, you can search for them in the same way you search for any tag. Let's say you saved a search for firewall events as the event type
firewall_allowed, and then saved a search for login events as the event type
login_successful. If you tagged both of these event types with allow, all events of either of those event types can be retrieved by using the search:
For more information about using tags, see the "Tag and alias field values" topic in this manual.
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16