Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Classify and group similar events

An event is not the same thing as an event type. An event is a single instance of data — a single log entry, for example. An event type is a classification used to label and group events.

The names of the matching event types for an event are set on the event, in a multivalued field called eventtype. You can search for these groups of events (for example, SSH logins) the same way you search for any field value.

This topic discusses how to save event types and use them in searches. For more information about events, how Splunk recognizes them, and what it does when it processes them for indexing, see the "Overview of event processing" topic in the Getting Data In manual.

Save a search as a new event type

When you search your event data, you're essentially weeding out all unwanted events. Therefore, the results of your search are events that share common characteristics, and you can give them a collective name.

For example, if you often search for failed logins on different host machines, you can create an event type for the events that your search finds and call it failed_login:

"failed login" OR "FAILED LOGIN" OR "Authentication failure" OR "Failed to authenticate user"

To save this search as an eventtype:

1. Run the search. Once the search is running, click Create and select Event type... You don't have to wait for the search to complete to do this.

2. In Save As Event Type, give your search a Name. For our search example, we'll name it "failed_login".

4.3 save as event type dialog.png

If necessary, you can modify the Search string field, which should be populated automatically with the search you just ran.

You can also optionally add a list of tags that should be applied to the event type in the Tag(s) field. For more about this see the subsection about tagging event types, below.

3. Click "Save" to save your event type name.

Now, you can quickly search for all the events that match this event type the same way you can search for any field.

For example, you may be interested it in finding failed logins on specific host machines:

host=target eventtype=failed_login

Or you may want to investigate a suspicious user's activities:

user=suspicious eventtype=failed_login

Important event type definition restrictions

You cannot base an event type on a search that includes a pipe operator or a subsearch .

In addition, you cannot base an event type on a search that references a search job. For example, if you took the search in the previous example and saved it with the name failed_login_search, you can't create an event type that is defined by the search savedsearch=failed_login_search. In a case like this you should always give the event type the same search string as the search job.

Identify similar events with punct

Because the punctuation of an event is often unique to a specific type of event, Splunk indexes the punctuation characters of event in the punct field. The values of this field may look cryptic, but they can be an effective way of characterizing similar events.

To apply the punct field to your search results, use the Fields popup discussed in the "Use fields to search" topic in the Splunk Tutorial. Select the punct value for an SSH login event. This updates your search to include this punct combination in the search bar. You may want to consider wildcarding the punctuation to match insignificant variations (for example, "punct=::[]*/*").

Use typelearner to discover new event types

Pass any of your searches into the typelearner command to see Splunk's suggestions for event types. By default, typelearner compares the punctuation of the events resulting from the search, grouping those that have similar punctuation and terms together.

You can specify a different field for Splunk to group the events; typelearner works the same way with any field. The result is a set of events (from your search results) that have this field and phrases in common.

For more information and examples, see "typelearner" in the Search Reference.

Use tags to group and find similar events

Event types can have one or more tags associated with them. You can add these tags while you save a search as an event type and from the event type manager, located in Manager > Event types. From the list of event types in this window, select the one you want to edit.

After you add tags to your event types, you can search for them in the same way you search for any tag. Let's say you saved a search for firewall events as the event type firewall_allowed, and then saved a search for login events as the event type login_successful. If you tagged both of these event types with allow, all events of either of those event types can be retrieved by using the search:

tag::eventtype="allow"

For more information about using tags, see the "Tag and alias field values" topic in this manual.

 

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters