Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Define and maintain event types in Splunk Web

You base event types on searches that return useful collections of events in their results. A single event can match multiple event types.

Any event types you create through Splunk Web are automatically added to eventtypes.conf in $SPLUNK_HOME/etc/users/<your-username>/<app>/local/, where <app> is the app you were in when you created the event type. If you change the permissions on the event type to make it available to all users (either in the app, or globally to all apps), Splunk moves the event type to $SPLUNK_HOME/etc/apps/<App>/local/.

Important event type definition restrictions

You cannot base an event type on a search that includes a pipe operator or a subsearch .

In addition, you cannot base an event type on a search that references a saved search. For example, if you have a saved search with the name failed_login_search, you can't create an event type that is defined by the search savedsearch=failed_login_search. In a case like this you should always give the event type the same search string as the saved search.

Save a search as an event type

To save a search as an event type:

  • Enter the search and run it.
  • Click Create and select Event type...

The Save Event Type dialog box pops up, pre-populated with your search string.

  • Name the event type.
  • Optionally add one or more comma-separated tags for the event type.
  • Click Save.

You can now use your event type in searches. If you named your event type foo, you'd use it in a search like this:


Automatically find and build event types

Unsure whether you have any potentially useful event types in your IT data? Splunk provides utilities that dynamically and intelligently locate and create useful event types:

  • Find event types: The findtypes search command analyzes a given set of events and identifies common patterns that could be turned into useful event types.
  • Build event types: The Build Event Type utility enables you to dynamically create event types based on events returned by searches. This utility also enables you to assign specific colors to event types. For example, if you say that a "sendmail error" event type is red, then the next time you run a search that returns events that fit that event type, they'll be easy to spot, because they'll show up as red in the event listing.

Find event types

To use the event type finder, add this to the end of your search:

...| findtypes

Searches that use the findtypes command return a breakdown of the most common groups of events found in the search results. They are:

  • hierarchically ordered in terms of "coverage" (frequency). This helps you easily identify kinds of events that are subsets of larger event groupings.
  • coupled with searches that can be used as the basis for event types that will help you locate similar events.

Event type finder results.png

By default, findtypes returns the top 10 potential event types found in the sample, in terms of the number of events that match each kind of event discovered. You can increase this number by adding a max argument: findtypes max=30

Splunk also indicates whether or not the event groupings discovered with findtypes have already been associated with other event types.

Note: The findtypes command analyzes 5000 events at most to return these results. You can lower this number using the head command for a more efficient search:

...| head 1000 | findtypes

Test potential searches before saving them as event types

When you identify a potentially useful event grouping, test the search associated with it to see if it returns the results you want. Click Test for the event grouping in which you are interested in to see its associated search run in a separate window. After the search runs, review the results it returns to determine whether or not it is capturing the specific information you want.

Save a tested search as an event type

When you find a search that returns the right collection of results, save it as an event type by clicking Save for the event grouping with which it is associated. The Save Event Type dialog appears. Enter a name for the event type, and optionally identify one or more tags that should be associated with it, separated by commas. You can also edit the search if necessary.

Build event types

If you find an event in your search results that you'd like to base an event type on, open the dropdown event menu (find the down arrow next to the event timestamp) and click Build event type.

4.3 event type builder opening.png

Splunk takes you to the Build Event Type utility (often referred to as the "Event Type Builder"). You can use this utility to design a search that returns a select set of events, and then create an event type based on that search.

The Build Event Type utility finds a set of sample events that are similar to the one you selected from your search results. In the Event type features sidebar, you'll find possible field/value pairings that you can use to narrow down the event type search further.

The Build Event Type utility also displays a search string under Generated event type at the top of the page. This is the search that the event type you're building will be based upon. As you select other field/value pairs in the Event type features sidebar, the Generated event type updates to include those selections. The list of sample events updates as well, to reflect the kinds of events that the newly modified event type search would return.

If you want to edit the event type search directly, click Edit. This brings up the Edit Event Type dialog, which you can use to edit the search string.

Test potential searches before saving them as event types

When you build a search that you think might be a useful event type, test it. Click Test to see the search run in a separate window.

Save a tested search as an event type

If you test a search and it looks like it's returning the correct set of events, you can click Save to save it as an event type. The Save Event Type dialog appears.

4.3 event type builder colorization1.png

Enter a name for the event type. Then, you can optionally use the Style list to associate a color for the event type. After you save, any event that matches the event type will appear in search results in that color. For example, say you create an event type called sendmail_bounce and save it with a Style of red. Then, when you run a search that returns events that match this event type, those events will be easy to spot, because they'll be colored red.

You can use the Priority list to help Splunk handle situations where events match more than one event type with a Style setting. For example, say you have two event types: one with a High priority and a red style, and one with an Average priority and a teal style. If an event in your results matches both of these event types, the High priority event type trumps the Average priority event type, and the event appears red in your search results.

Add and maintain event types in Manager

The Event Types page in Manager enables you to view and maintain details of the event types that you have created or which you have permission to edit. You can also add new event types through the Event Types page. Event types displayed on the Event Types page may be available globally (system-wide) or they may apply to specific Apps.

Adding an event type in Manager

To add an event type through Manager, navigate to the Event Types page and click New. Splunk takes you to the Add New event types page.


From this page you enter the new event type's Destination App, Name, and the Search string that ultimately defines the event type (see "Save a search as an event", above).

Note: All event types are initially created for a specific App. To make a particular event type available to all users on a global basis, you have to locate the event type on the Event Types page, click its Permissions link, and change the This app only selection to All apps. For more information about setting permissions for event types (and other knowledge object types), see "Manage knowledge object permissions," in this manual.

You can optionally include Tags for the event type. For more information about tagging event types and other kinds of Splunk knowledge, see "About tags and aliases" in this manual.

You can also optionally select a Priority for the event type, where 1 is the highest priority and 10 is the lowest. The Priority setting is important for common situations where you have events that fit two or more event types. When the event turns up in search results, Splunk displays the event types associated with the event in a specific order. You use the Priority setting to ensure that certain event types take precedence over others in this display order.

If you have a number of overlapping event types, or event types that are subsets of larger ones, you may want to give the precisely focused event types a higher priority. For example, you could easily have a set of events that are part of a wide-ranging system_error event type. Within that large set of events, you could have events that also belong to more precisely focused event types like critical_disc_error and bad_external_resource_error.

In a situation like this, you could give the system_error event type a Priority of 10, while giving the other two error codes Priority values in the 1 to 5 range. This way, when events that match both system_error and critical_disc_error appear in search results, the critical_disc_error event type is always listed ahead of the system_error event type.

Maintaining event types in Manager

To update the details of an event type, locate it in the list on the Event Types page in Manager, and click its name. Splunk takes you to the details page for the event type, where you can edit the Search string, Tags, and Priority for the event type, if you have the permissions to do so. You can also update permissions for event types and delete event types through the Event Types page, if you have edit permissions for them.

About event types
Configure event types in eventtypes.conf

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters