Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About event types

Event types are a categorization system to help you make sense of your data. Event types let you sift through huge amounts of data, find similar patterns, and create alerts and reports.

Events versus event types

An event is a single record of activity within a log file. An event typically includes a timestamp and provides information about what occurred on the system being monitored or logged.

An event type is a user-defined field that simplifies search by letting you categorize events. Event types let you classify events that have common characteristics. When your search results come back, they're checked against known event types. An event type is applied to an event at search time if that event matches the event type definition in eventtypes.conf. Tag or save event types after indexing your data.

Event type classification

There are several ways to create your own event types. Define event types via Splunk Web or through configuration files, or you can save any search as an event type. When saving a search as an event type, you may want to use the punct field to craft your searches. The punct field helps you narrow down searches based on the structure of the event.

Use the punct field to search on similar events

Because the format of an event is often unique to an event type, Splunk software indexes the punctuation characters of events as a field called punct. The punct field stores the first 30 punctuation characters in the first line of the event. This field is useful for finding similar events quickly.

When you use punct, keep in mind:

  • Quotes and backslashes are escaped.
  • Spaces are replaced with an underscore (_).
  • Tabs are replaced with a "t".
  • Dashes that follow alphanumeric characters are ignored.
  • Interesting punctuation characters are:
",;-#$%&+./:=?@\\'|*\n\r\"(){}<>[]^!"
  • The punct field is not available for events in the _audit index because those events are signed using PKI at the time they are generated.


Punct examples

This event:

####<Jun 3, 2005 5:38:22 PM MDT> <Notice> <WebLogicServer> <bea03> <asiAdminServer> <WrapperStartStopAppMain> <>WLS Kernel<> <> <BEA-000360> <Server started in RUNNING mode>

Produces this punctuation:

####<_,__::__>_<>_<>_<>_<>_<>_

This event:

172.26.34.223 - - [01/Jul/2005:12:05:27 -0700] "GET /trade/app?action=logout HTTP/1.1" 200 2953

Produces this punctuation:

..._-_-_[:::_-]_\"_?=_/.\"__

Event type discovery

Splunk Enterprise can help you choose meaningful event types from your search results with the findtypes command.

For more information on findtypes, see find event types.

Create new event types

The simplest way to create a new event type is through Splunk Web. After you run a search that would make a good event type, click Save As and select Event Type. This opens the Save as Event Type dialog, where you can provide the event type name and optionally apply tags to it. For more information about saving searches as event types, see Define and maintain event types in Splunk Web, in this manual.

You can also create new event types by modifying eventtypes.conf. For more information about manually configuring event types in this manner, see "Configure event types directly in eventtypes.conf", in this manual.

Event type tags

Tag event types to organize your data into categories. There can be multiple tags per event. For more information about event type tagging, see the "Tag event types" topic in this manual

Configuration files for event types

Event types are stored in eventtypes.conf.

Terms for event type discovery are set in eventdiscoverer.conf.

PREVIOUS
About Splunk Enterprise regular expressions
  NEXT
Define and maintain event types in Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14


Comments

Alacercogitatus, I can file an enhancement request to add this information. Thanks for the suggestion!

Andrewb splunk, Splunker
November 10, 2015

Howdy! The search definition restrictions should be placed in the spec file somewhere. They are here: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/defineeventtypes#Important_event_type_definition_restrictions

Alacercogitatus
November 9, 2015

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters