Related Answers
Download topic as PDF
Configure event type templates
Event type templates create event types at search time. If you have Splunk Enterprise, you define event type templates in eventtypes.conf. Edit eventtypes.conf in $SPLUNK_HOME/etc/system/local/, or your own custom app directory in $SPLUNK_HOME/etc/apps/.
For more information on configuration files in general, see "About configuration files" in the Admin manual.
Event type template configuration
Event type templates use a field name surrounded by percent characters to create event types at search time where the %$FIELD% value is substituted into the name of the event type.
[$NAME-%$FIELD%] $SEARCH_QUERY
So if the search query in the template returns an event where %$FIELD%=bar, an event type titled $NAME-bar is created for that event.
Example
[cisco-%code%] search = cisco
If a search on "cisco" returns an event that has code=432, Splunk Enterprise creates an event type titled "cisco-432".
|
PREVIOUS Configure event types in eventtypes.conf |
NEXT About transactions |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12
Feedback submitted, thanks!