Define and maintain event types in Splunk Web
You base event types on searches that return useful collections of events in their results. A single event can match multiple event types.
Any event types you create through Splunk Web are automatically added to eventtypes.conf in
<app> is the app you were in when you created the event type. If you change the permissions on the event type to make it available to all users (either in the app, or globally to all apps), Splunk moves the event type to
Important event type definition restrictions
In addition, you cannot base an event type on a search that references a saved search. For example, if you have a saved search with the name
failed_login_search, you can't create an event type that is defined by the search
savedsearch=failed_login_search. In a case like this you should always give the event type the same search string as the saved search.
Save a search as an event type
To save a search as an event type:
- Enter the search and run it.
- Click Create and select Event type...
The Save Event Type dialog box pops up, pre-populated with your search string.
- Name the event type.
- Optionally add one or more comma-separated tags for the event type.
- Click Save.
You can now use your event type in searches. If you named your event type foo, you'd use it in a search like this:
Automatically find and build event types
Unsure whether you have any potentially useful event types in your IT data? Splunk provides utilities that dynamically and intelligently locate and create useful event types:
- Find event types: The
findtypessearch command analyzes a given set of events and identifies common patterns that could be turned into useful event types.
- Build event types: The Build Event Type utility enables you to dynamically create event types based on events returned by searches. This utility also enables you to assign specific colors to event types. For example, if you say that a "sendmail error" event type is red, then the next time you run a search that returns events that fit that event type, they'll be easy to spot, because they'll show up as red in the event listing.
Find event types
To use the event type finder, add this to the end of your search:
Searches that use the
findtypes command return a breakdown of the most common groups of events found in the search results. They are:
- hierarchically ordered in terms of "coverage" (frequency). This helps you easily identify kinds of events that are subsets of larger event groupings.
- coupled with searches that can be used as the basis for event types that will help you locate similar events.
findtypes returns the top 10 potential event types found in the sample, in terms of the number of events that match each kind of event discovered. You can increase this number by adding a
Splunk also indicates whether or not the event groupings discovered with
findtypes have already been associated with other event types.
findtypes command analyzes 5000 events at most to return these results. You can lower this number using the
head command for a more efficient search:
...| head 1000 | findtypes
Test potential searches before saving them as event types
When you identify a potentially useful event grouping, test the search associated with it to see if it returns the results you want. Click Test for the event grouping in which you are interested in to see its associated search run in a separate window. After the search runs, review the results it returns to determine whether or not it is capturing the specific information you want.
Save a tested search as an event type
When you find a search that returns the right collection of results, save it as an event type by clicking Save for the event grouping with which it is associated. The Save Event Type dialog appears. Enter a name for the event type, and optionally identify one or more tags that should be associated with it, separated by commas. You can also edit the search if necessary.
Build event types
If you find an event in your search results that you'd like to base an event type on, open the dropdown event menu (find the down arrow next to the event timestamp) and click Build event type.
Splunk takes you to the Build Event Type utility (often referred to as the "Event Type Builder"). You can use this utility to design a search that returns a select set of events, and then create an event type based on that search.
The Build Event Type utility finds a set of sample events that are similar to the one you selected from your search results. In the Event type features sidebar, you'll find possible field/value pairings that you can use to narrow down the event type search further.
The Build Event Type utility also displays a search string under Generated event type at the top of the page. This is the search that the event type you're building will be based upon. As you select other field/value pairs in the Event type features sidebar, the Generated event type updates to include those selections. The list of sample events updates as well, to reflect the kinds of events that the newly modified event type search would return.
If you want to edit the event type search directly, click Edit. This brings up the Edit Event Type dialog, which you can use to edit the search string.
Test potential searches before saving them as event types
When you build a search that you think might be a useful event type, test it. Click Test to see the search run in a separate window.
Save a tested search as an event type
If you test a search and it looks like it's returning the correct set of events, you can click Save to save it as an event type. The Save Event Type dialog appears.
Enter a name for the event type. Then, you can optionally use the Style list to associate a color for the event type. After you save, any event that matches the event type will appear in search results in that color. For example, say you create an event type called
sendmail_bounce and save it with a Style of red. Then, when you run a search that returns events that match this event type, those events will be easy to spot, because they'll be colored red.
You can use the Priority list to help Splunk handle situations where events match more than one event type with a Style setting. For example, say you have two event types: one with a High priority and a red style, and one with an Average priority and a teal style. If an event in your results matches both of these event types, the High priority event type trumps the Average priority event type, and the event appears red in your search results.
Add and maintain event types in Manager
The Event Types page in Manager enables you to view and maintain details of the event types that you have created or which you have permission to edit. You can also add new event types through the Event Types page. Event types displayed on the Event Types page may be available globally (system-wide) or they may apply to specific Apps.
Adding an event type in Manager
To add an event type through Manager, navigate to the Event Types page and click New. Splunk takes you to the Add New event types page.
From this page you enter the new event type's Destination App, Name, and the Search string that ultimately defines the event type (see "Save a search as an event", above).
Note: All event types are initially created for a specific App. To make a particular event type available to all users on a global basis, you have to locate the event type on the Event Types page, click its Permissions link, and change the This app only selection to All apps. For more information about setting permissions for event types (and other knowledge object types), see "Manage knowledge object permissions," in this manual.
You can optionally include Tags for the event type. For more information about tagging event types and other kinds of Splunk knowledge, see "About tags and aliases" in this manual.
You can also optionally select a Priority for the event type, where 1 is the highest priority and 10 is the lowest. The Priority setting is important for common situations where you have events that fit two or more event types. When the event turns up in search results, Splunk displays the event types associated with the event in a specific order. You use the Priority setting to ensure that certain event types take precedence over others in this display order.
If you have a number of overlapping event types, or event types that are subsets of larger ones, you may want to give the precisely focused event types a higher priority. For example, you could easily have a set of events that are part of a wide-ranging
system_error event type. Within that large set of events, you could have events that also belong to more precisely focused event types like
In a situation like this, you could give the
system_error event type a Priority of 10, while giving the other two error codes Priority values in the 1 to 5 range. This way, when events that match both
critical_disc_error appear in search results, the
critical_disc_error event type is always listed ahead of the
system_error event type.
Maintaining event types in Manager
To update the details of an event type, locate it in the list on the Event Types page in Manager, and click its name. Splunk takes you to the details page for the event type, where you can edit the Search string, Tags, and Priority for the event type, if you have the permissions to do so. You can also update permissions for event types and delete event types through the Event Types page, if you have edit permissions for them.
About event types
Configure event types in eventtypes.conf
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18