Configure event types in eventtypes.conf
You can add new event types and update existing event types by configuring eventtypes.conf. There are a few default event types defined in
$SPLUNK_HOME/etc/system/default/eventtypes.conf. Any event types you create through Splunk Web are automatically added to
Important event type definition restrictions
You cannot base an event type on a search that:
- Includes a pipe operator after a simple search.
- Includes a subsearch.
- Is defined by a simple search that uses the
savedsearchcommand to reference a report name. For example, if you have a report named
failed_login_search, you should not use this search to define the event type:
| savedsearch failed_login_search. In this case you should instead use the search string that defines
failed_login_searchas the definition of the event type.
This last point is more of a best practice than a strict limitation. You want to avoid situations where the search string underneath
failed_login_search is modified by another user at a future date, possibly in a way that breaks the event type. You have more control over the ongoing validity of the event type if you use actual search strings in its definition.
Make changes to event types in
$SPLUNK_HOME/etc/system/README/eventtypes.conf.example as an example, or create your own
$SPLUNK_HOME/etc/system/local/, or your own custom app directory in
$SPLUNK_HOME/etc/apps/. See About configuration files in the Admin Manual.
- Header for the event type
$EVENTTYPEis the name of your event type.
- You can have any number of event types, each represented by a stanza and any number of the following attribute/value pairs.
Note: If the name of the event type includes field names surrounded by the percent character (for example,
%$FIELD%) then the value of
$FIELD is substituted at search time into the event type name for that event. For example, an event type with the header
[cisco-%code%] that has
code=432 becomes labeled
disabled = <1 or 0>
- Toggle event type on or off.
- Set to 1 to disable.
search = <string>
- Search terms for this event type.
- For example: error OR warn.
description = <string>
- Optional human-readable description of the event type.
priority = <integer>
- Specifies the order in which matching event types are displayed for an event. 1 is the highest, and 10 is the lowest.
color = <string>
- Color for this event type.
- Supported colors: none, et_blue, et_green, et_magenta, et_orange, et_purple, et_red, et_sky, et_teal, et_yellow.
Note: You can tag
eventtype field values the same way you tag any other field/value combination. See the
tags.conf spec file for more information.
Here are two event types; one is called
web, and the other is called
[web] search = html OR http OR https OR css OR htm OR html OR shtml OR xls OR cgi [fatal] search = FATAL
Disable event types
Disable an event type by adding
disabled = 1 to the event type stanza
[$EVENTTYPE] disabled = 1
$EVENTTYPE is the name of the event type you wish to disable.
So if you want to disable the
web event type, add the following entry to its stanza:
[web] disabled = 1
Define and maintain event types in Splunk Web
Configure event type templates
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11